[GRLUG] Distro's - was GRLUG test comment

Alan ajabma at chartermi.net
Fri May 5 00:37:39 EDT 2006


Man!
It's time we had a real meeting!
At a bar, With WiFi.
We could drink, fight over distros, get loud and have a good time.
Maybe even convert a waitress or two.

On Friday 05 May 2006 12:11 am, Tim Schmidt wrote:
> On 5/4/06, Raymond McLaughlin <driveray at ameritech.net> wrote:
> > In this scheme it seems that user Admin (actually, caps in user name is
> > commonly frowned upon, but ...)
>
> yeah yeah...  thanks for the lesson.  There's such a thing as
> simplification for clarity (such as naming the user admin rather than
> a more typical name and attempting to explain that they function as a
> local administrator).
>
> > can sudo *any* command. Basically any user who can 'sudo
> > bash' can then run everything else as root from then on. So in this case
> > brute forcing Admin's password is as good as brute forcing root.
>
> Yup.  Any user with sudo rights to a shell or similar (an editor with
> command escapes, etc.) can abuse that right to execute arbitrary
> commands.  That's why the policy is deny by default.
>
> As far as breaking admin's account, sure.  It's no worse than a
> seperate root account with a password in that respect.
>
> > If no one is actually named 'admin', guessing which user to brute force
> > on a basic Ubuntu system is simple. If you "ls -n /home" and go for the
> > user with the lowest uid you'd probably guess right.
>
> Good call.
>
> > Of course a with a more elaborate, custom config, sudo can be used to
> > dole out more fine grained priveleges. But you could do that with or
> > without a root login.
>
> Sure.  In the same spirit, you can successfully admin a machine
> without a root login.  One less password to guess, one less possible
> vector.
>
> > So it seems to me that a scheme that allows any given user the power to
> > sudo *anything* is more about cultivating prudent habits than security
> > per se.
>
> Hmmm...  Ubuntu allows one user to sudo anything.  So I'm not sure
> where you got the any given user part...  However, cultivating prudent
> habits is 9/10 of the battle.  It's much easier to discourage use of
> the root account if it's completely disabled.
>
> > Sorry if I misunderstood your discussion.
>
> I'm just trying to correct a few people's misconception (that sudo is
> somehow less secure than using root and su).
>
> --tim
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug


More information about the grlug mailing list