His last name is sudo...





  • And it is supposed to be something fun with it or something, right?



  • And it only costs 0.75$ for 224 pages. Deal!



  • Probably just a pen-name anyway.





  • @GuntherVB said:

    And it only costs 0.75$ for 224 pages. Deal!

     Those are the used copies. The full price looks to be $8.89

     

    Also not seeing the WTF. Clever pen names are quite common.
     



  • It's not a pen name. He's japanese.

    http://www.maui.net/~zen_gtr/author.html



  • @Pap said:

    It's not a pen name. He's japanese.

    And it's a relatively common name. Why are we even having this discussion? None of this thread makes any sense. 





  • So here's a question:  WTF or good security?

    Rather than login as root, I've given myself full sudo priveleges, so I can type

    sudo su

    then type in my own password.  I feel it's more secure than logging in as root because the root priveleges can be revoked for any user by changing who can SUDO.  If I was letting people login as root, then I'd have to change the password for root and distribute it to those who still can use it.

     



  • sudo -i seems to have the same effect, as would sudo $any_shell, or (I think) sudo to programs that allow escaping to a shell. So I don't think the monitoring capabilities of sudo can be considered a real security feature unless you combine that with allowing only whitelisted commands.

    There is presumably a way to get a root (or any) shell that logs all commands, or even all commands, input and output.
     



  • @m0ffx said:

    So I don't think the monitoring capabilities of sudo can be considered a real security feature unless you combine that with allowing only whitelisted commands.

    Actually, you merely have to hook up syslog so that root can't tamper with logs. The traditional (in the sense of "more than 20 years old") and simplest way to do this is to configure it to use the syslog network protocol to deliver the messages to another box.

    Although I don't see what that has to do with anything. This thread is nuts. 



  • OK, so the guy's last name is sudo.  And there is a Linux sudo command.

    I'm still not getting what is amusing, funny, or interesting about this post.



  • I dunno if your answers are going over my head or what.  Basically I'm wondering whether what I've suggested is more secure than giving out the root password or just seems like it is.



  • @asuffield said:

    @m0ffx said:

    So I don't think the monitoring capabilities of sudo can be considered a real security feature unless you combine that with allowing only whitelisted commands.

    Actually, you merely have to hook up syslog so that root can't tamper with logs. The traditional (in the sense of "more than 20 years old") and simplest way to do this is to configure it to use the syslog network protocol to deliver the messages to another box.

    Although I don't see what that has to do with anything. This thread is nuts. 

    OK, maybe I was a bit vague. What I'm saying is, sudo monitors every command, and you've said it's fully possible to preventing log tampering by local root. But if a user does sudo bash or whatever, then what they then do in that bash shell is NOT monitored, right?



  • @belgariontheking said:

    I dunno if your answers are going over my head or what.  Basically I'm wondering whether what I've suggested is more secure than giving out the root password or just seems like it is.

    It is, and it's the single reason why everybody should be using sudo instead of su. A password known by more than one person is a security failure. There are no conditions under which this is not the wrong thing to do.

    I make a point of not having root passwords on any servers I admin. 



  • @m0ffx said:

    Probably just a pen-name anyway.

    I see what you did there. :)



  • @asuffield said:

    @belgariontheking said:

    I dunno if your answers are going over my head or what.  Basically I'm wondering whether what I've suggested is more secure than giving out the root password or just seems like it is.

    It is, and it's the single reason why everybody should be using sudo instead of su. A password known by more than one person is a security failure. There are no conditions under which this is not the wrong thing to do.

    I make a point of not having root passwords on any servers I admin. 

    Do you mean a root password or a password in general?  Cuz if it's the first one, I can second that.

    If it's the second one, I can say only that it's annoying.  I'm sure we've all used functional logins for various applications.  We use one for three different applications and I can never tell who's done what!  Not to mention that I have no idea who will be able to do what in the future.  I'd like to customize some things in UNIX to myself, but my changes (like using bash instead of ksh) affect everyone, so I can't. 



  • @belgariontheking said:

    @asuffield said:

    @belgariontheking said:

    I dunno if your answers are going over my head or what.  Basically I'm wondering whether what I've suggested is more secure than giving out the root password or just seems like it is.

    It is, and it's the single reason why everybody should be using sudo instead of su. A password known by more than one person is a security failure. There are no conditions under which this is not the wrong thing to do.

    I make a point of not having root passwords on any servers I admin. 

    Do you mean a root password or a password in general?  Cuz if it's the first one, I can second that.

    If it's the second one, I can say only that it's annoying.  I'm sure we've all used functional logins for various applications.  We use one for three different applications and I can never tell who's done what!  Not to mention that I have no idea who will be able to do what in the future.  I'd like to customize some things in UNIX to myself, but my changes (like using bash instead of ksh) affect everyone, so I can't. 

    Both. I have no idea why you think this would be necessary for any particular applications, but there is always a better way. Unix was designed right from the start to not require this kind of braindamage. You have found some of the ancillary issues, but fundamentally it's a security flaw. One of the many important rules of security is: "Two people can keep a secret when one of them is dead".



  • @asuffield said:

    One of the many important rules of security is: "Two people can keep a secret when one of them is dead".

    You sysadmin a certain Italian family-owned operation?



  • @dhromed said:

    @asuffield said:

    One of the many important rules of security is: "Two people can keep a secret when one of them is dead".

    You sysadmin a certain Italian family-owned operation?

    It is a good rule. It has many applications. 



  • su su sudo

     

    apologies to Phil Collins 



  • @Irrelevant said:

    @wittgenstein said:
    http://www.amazon.com/Zen-Computer-Philip-Toshio-Sudo/dp/0684854090/ref=sr_1_5?ie=UTF8&s=books&qid=1195774712&sr=8-5
    TRWTF is Amazon's stupidly long URLs. Its short ones, OTOH, are quite handy: http://www.amazon.com/dp/0684854090/


    Since the "title" part is totally irrelevant, it does provide you a way to play pranks and lie
    about what product the link will send you too. http://www.amazon.com/Ethel-The-Aardvark-Goes-Quantity-Surveying/dp/0684854090/



  • @SuperousOxide said:

    Since the "title" part is totally irrelevant, it does provide you a way to play pranks and lie
    about what product the link will send you too. http://www.amazon.com/Ethel-The-Aardvark-Goes-Quantity-Surveying/dp/0684854090/


    Thank you for that insightful tibit. I wasn't aware of that.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.