Mailing List Archive

On 10/26/22 12:22 PM, Neil Bothwick wrote:
> You need to be root to write to /etc/sudoers.d. If someone has that
> access, you are already doomed!

And what happens if someone uses the existing root-via-sudo access to
break sudo?

You loose root-via-sudo access.

Someone could become root, via sudo, edit the sudoers file without using
visudo, introduce a syntax problem, thereby breaking sudo (fail secure).

You could easily do this to yourself if you don't follow best practices.



--
Grant. . . .
unix || die

On 10/26/22 12:35 PM, Jack wrote:
> Could you not interrupt  grup and append "single" or "init=/bin/bash" to
> the kernel command line?

Maybe.

It will depend on how complex your configuration is.

I don't remember if Gentoo requires root's password when entering single
user mode or not. (I've not tested it in a long time.)

Invoking Bash (or any shell) as init may not work as desired if your
system configuration is complex and needs fancier things (modules /
network resources / etc) during normal init.

My 20 years worth of experience is to have a root password set so that
you can fix this more directly and more reliably.

Ideally, as soon as you learn that sudo is not working as desired, use
su -- using root's password -- and revert the recent sudo change.



--
Grant. . . .
unix || die

On Wed, 26 Oct 2022 20:38:35 +0200, Ramon Fischer wrote:

> I thought in a too complicated way.
>
> Why not just remove the entry from "/etc/sudoers.d/zzzzzzz", while
> being in a "chroot"?

Still too complicated. Just mount the root partition from a live USB and
delete the file. no need for a chroot.


--
Neil Bothwick

Facts are stubborn, but statistics are more pliable

On Wed, 26 Oct 2022 13:28:49 -0600, Grant Taylor wrote:

> > You need to be root to write to /etc/sudoers.d. If someone has that
> > access, you are already doomed!
>
> And what happens if someone uses the existing root-via-sudo access to
> break sudo?

So they have root access, nothing has changed. How they get root access
is irrelevant, just that they have it.


--
Neil Bothwick

A positive attitude may not solve all your problems, but it will annoy
enough people to make it worth the effort.

Rich Freeman wrote:
> If you use an x11-based merge tool then it will also refuse to attempt
> an automatic
> merge if X11 isn't available. (Obviously you can't actually run the
> manual merge if the tool uses X11 and that isn't available.)
>
>

I'd like to try a GUI based tool.  Is that what you talking about?  If
so, name or what package has it? 

Thanks.

Dale

:-)  :-) 

On 10/26/22 2:08 PM, Neil Bothwick wrote:
> So they have root access, nothing has changed. How they get root
> access is irrelevant, just that they have it.

No, how they get root access is not irrelevant.

If your only access to root is via sudo and you break sudo you no longer
have root access.

If you don't have root access through something other than sudo, you
can't fix your sudo (from your existing system).



--
Grant. . . .
unix || die

On Wed, 26 Oct 2022 14:17:30 -0600, Grant Taylor wrote:

> On 10/26/22 2:08 PM, Neil Bothwick wrote:
> > So they have root access, nothing has changed. How they get root
> > access is irrelevant, just that they have it.
>
> No, how they get root access is not irrelevant.
>
> If your only access to root is via sudo and you break sudo you no
> longer have root access.
>
> If you don't have root access through something other than sudo, you
> can't fix your sudo (from your existing system).

They and you are different people. You are looking at it from the
perspective of a user accidentally locking themself out of the system, so
su is the best way to be able to fix it. I agree with you there. I was
looking at it from the perspective of a third party changing sudo right
without your consent. We were at cross purposes.


--
Neil Bothwick

"We can't solve problems by using the same kind of thinking we used when
we created them." (Albert Einstein)

On 2022-10-26, Dale <rdalek1967@gmail.com> wrote:
> Rich Freeman wrote:
>> If you use an x11-based merge tool then it will also refuse to attempt
>> an automatic
>> merge if X11 isn't available. (Obviously you can't actually run the
>> manual merge if the tool uses X11 and that isn't available.)
>>
>>
>
> I'd like to try a GUI based tool.  Is that what you talking about?  If
> so, name or what package has it?

At one point, I had one of my systems configured to use "meld" when I
picked "interactive merge" in the etc-update menu, but I've since gone
back to just picking "show differences" in the etc-update menu, then
manually running merge on the two filenames shown. With the
interactive merge option, I was always a bit confused about which file
was the destination and what happened after I exited meld.

--
Grant

Ah, of course!

Why was I thinking of a chroot?

Maybe because of reading "grup/grub" a few e-mails before and thinking
of "grub-mkconfig"...

-Ramon

On 26/10/2022 22:06, Neil Bothwick wrote:
> On Wed, 26 Oct 2022 20:38:35 +0200, Ramon Fischer wrote:
>
>> I thought in a too complicated way.
>>
>> Why not just remove the entry from "/etc/sudoers.d/zzzzzzz", while
>> being in a "chroot"?
> Still too complicated. Just mount the root partition from a live USB and
> delete the file. no need for a chroot.
>
>

--
GPG public key: 5983 98DA 5F4D A464 38FD CF87 155B E264 13E6 99BF

On 10/26/22 3:13 PM, Neil Bothwick wrote:
> They and you are different people. You are looking at it from the
> perspective of a user accidentally locking themself out of the system,
> so su is the best way to be able to fix it. I agree with you there. I
> was looking at it from the perspective of a third party changing sudo
> right without your consent. We were at cross purposes.

ACK

Thank you for clarifying.



--
Grant. . . .
unix || die

On 10/26/22 3:27 PM, Ramon Fischer wrote:
> Why was I thinking of a chroot?
>
> Maybe because of reading "grup/grub" a few e-mails before and thinking
> of "grub-mkconfig"...

Or maybe because entering a chroot is such a prominent thing to do when
booting off of Gentoo media to do an installation that it's largely
habitual for some of us. ;-)



--
Grant. . . .
unix || die

I have created an issue at their Git repository. Maybe there will be
solution for this:

https://github.com/sudo-project/sudo/issues/190

-Ramon

On 26/10/2022 21:28, Grant Taylor wrote:
> On 10/26/22 12:22 PM, Neil Bothwick wrote:
>> You need to be root to write to /etc/sudoers.d. If someone has that
>> access, you are already doomed!
>
> And what happens if someone uses the existing root-via-sudo access to
> break sudo?
>
> You loose root-via-sudo access.
>
> Someone could become root, via sudo, edit the sudoers file without
> using visudo, introduce a syntax problem, thereby breaking sudo (fail
> secure).
>
> You could easily do this to yourself if you don't follow best practices.
>
>
>

--
GPG public key: 5983 98DA 5F4D A464 38FD CF87 155B E264 13E6 99BF

Grant Edwards wrote:
> On 2022-10-26, Dale <rdalek1967@gmail.com> wrote:
>> Rich Freeman wrote:
>>> If you use an x11-based merge tool then it will also refuse to attempt
>>> an automatic
>>> merge if X11 isn't available. (Obviously you can't actually run the
>>> manual merge if the tool uses X11 and that isn't available.)
>>>
>>>
>> I'd like to try a GUI based tool.  Is that what you talking about?  If
>> so, name or what package has it?
> At one point, I had one of my systems configured to use "meld" when I
> picked "interactive merge" in the etc-update menu, but I've since gone
> back to just picking "show differences" in the etc-update menu, then
> manually running merge on the two filenames shown. With the
> interactive merge option, I was always a bit confused about which file
> was the destination and what happened after I exited meld.
>
> --
> Grant

I've tried etc-update and dispatch-conf and I can't figure out either
one of them when it comes to merging.  I'd like a GUI tool where I can
click the one I want to keep with my rodent and then save.  Like you, I
get confused trying to select things and then have no idea if I'm about
to royally screw something up.  I end up doing a ctrl c, restarting
update tool and zapping the new file and praying that didn't break
anything either. 

I have the default settings so there may be a better way but I just
don't know what.  I sometimes wish there was a video showing different
methods of managing config files and me picking what makes sense to me. 

I might add, a good while back I started doing updates in a chroot and
then using -k on my main system.  Since then, I don't see config updates
hardly at all.  I wonder if building in a chroot affects that. 

Dale

:-)  :-) 

On 10/26/22 3:48 PM, Ramon Fischer wrote:
> I have created an issue at their Git repository. Maybe there will be
> solution for this:
>
>    https://github.com/sudo-project/sudo/issues/190

I ... don't know where to begin.

There are so many ways that you can hurt yourself with syntactically
valid sudoers that it's not even funny.

You could allow list almost all commands, without using the special ALL
place holder and then remark critical commands and end up in a very
similar situation.

At some point we have to trust that Systems Administrators / Sudoers
editors know what they are doing and let them do so.



--
Grant. . . .
unix || die

On Wed, Oct 26, 2022 at 5:26 PM Grant Edwards <grant.b.edwards@gmail.com> wrote:
>
> On 2022-10-26, Dale <rdalek1967@gmail.com> wrote:
> > Rich Freeman wrote:
> >> If you use an x11-based merge tool then it will also refuse to attempt
> >> an automatic
> >> merge if X11 isn't available. (Obviously you can't actually run the
> >> manual merge if the tool uses X11 and that isn't available.)
> >>
> >>
> >
> > I'd like to try a GUI based tool. Is that what you talking about? If
> > so, name or what package has it?
>
> At one point, I had one of my systems configured to use "meld" when I
> picked "interactive merge" in the etc-update menu, but I've since gone
> back to just picking "show differences" in the etc-update menu, then
> manually running merge on the two filenames shown. With the
> interactive merge option, I was always a bit confused about which file
> was the destination and what happened after I exited meld.
>

I use cfg-update+meld. It can use any 3-way diff/edit tool, but there
aren't many of those.

I believe the three panels show:
Left: the current config file
Right: new new packaged config file
Center: what the packaged config file was the last time you did an update

So Left vs Center shows you what changes you've made vs upstream, and
center vs right show you what changes upstream made to their file. So
you would look for differences on the right side to see what needs
attention in the file, and then work those changes if appropriate into
the left file.

You just edit the left file to get it the way you want it and save
that, and then cfg-update captures the changes in RCS.

--
Rich

Do you also use "vim" from time to time?

Because it is also able to compare two (or more?) files, similiar to
"sdiff":

$ vi -d file1 file2

or:

$ vi file1
:diffthis
:vsplit
CTRL+w + right arrow key
:e file2
:diffthis

-Ramon

On 27/10/2022 00:44, Dale wrote:
> I'd like a GUI tool where I can
> click the one I want to keep with my rodent and then save.

--
GPG public key: 5983 98DA 5F4D A464 38FD CF87 155B E264 13E6 99BF

Sure, you cannot cover everything, but mitigating at least a little bit
would be OK or not? :)

-Ramon

On 27/10/2022 01:06, Grant Taylor wrote:
> On 10/26/22 3:48 PM, Ramon Fischer wrote:
>> I have created an issue at their Git repository. Maybe there will be
>> solution for this:
>>
>>     https://github.com/sudo-project/sudo/issues/190
>
> I ... don't know where to begin.
>
> There are so many ways that you can hurt yourself with syntactically
> valid sudoers that it's not even funny.
>
> You could allow list almost all commands, without using the special
> ALL place holder and then remark critical commands and end up in a
> very similar situation.
>
> At some point we have to trust that Systems Administrators / Sudoers
> editors know what they are doing and let them do so.
>
>
>

--
GPG public key: 5983 98DA 5F4D A464 38FD CF87 155B E264 13E6 99BF

On 10/26/22 7:27 PM, Ramon Fischer wrote:
> Sure, you cannot cover everything, but mitigating at least a little bit
> would be OK or not? :)

I don't know. :-/

It's the proverbial problem of spam / virus filtering and a spam / virus
gets through the filters and someone saying "But it's your fault because
you are supposed to protect me!!!".

Sometimes there's advantages to saying "here's a gun, it's loaded, and
the safety is off. we suggest not pointing it at your foot. If you do
point it at your foot, don't pull the trigger." type thing.



--
Grant. . . .
unix || die

Ramon Fischer wrote:
> Do you also use "vim" from time to time?
>
> Because it is also able to compare two (or more?) files, similiar to
> "sdiff":
>
>    $ vi -d file1 file2
>
> or:
>
>    $ vi file1
>    :diffthis
>    :vsplit
>    CTRL+w + right arrow key
>    :e file2
>    :diffthis
>
> -Ramon
>
> On 27/10/2022 00:44, Dale wrote:
>>   I'd like a GUI tool where I can
>> click the one I want to keep with my rodent and then save.
>

I'd only use vi stuff if I had a gun pointed at me.  Even then, I'd make
a mess of it.  lol

Dale

:-)  :-)

Good point!

This is where a public license comes into play[1] to say "we take no
responsibility, if you f'ed yourself up".

Just to make sure, that you are not liable.

-Ramon

[1] https://github.com/sudo-project/sudo/blob/main/LICENSE.md

On 27/10/2022 03:47, Grant Taylor wrote:
> On 10/26/22 7:27 PM, Ramon Fischer wrote:
>> Sure, you cannot cover everything, but mitigating at least a little
>> bit would be OK or not? :)
>
> I don't know.  :-/
>
> It's the proverbial problem of spam / virus filtering and a spam /
> virus gets through the filters and someone saying "But it's your fault
> because you are supposed to protect me!!!".
>
> Sometimes there's advantages to saying "here's a gun, it's loaded, and
> the safety is off.  we suggest not pointing it at your foot. If you do
> point it at your foot, don't pull the trigger." type thing.
>
>
>

--
GPG public key: 5983 98DA 5F4D A464 38FD CF87 155B E264 13E6 99BF

You just invented a new torture method. :D

Write down the house rules with standard vim with as less key strokes as
possible. Every mistake gives you an electric shock.

-Ramon

On 27/10/2022 05:01, Dale wrote:
> Ramon Fischer wrote:
>> Do you also use "vim" from time to time?
>>
>> Because it is also able to compare two (or more?) files, similiar to
>> "sdiff":
>>
>>    $ vi -d file1 file2
>>
>> or:
>>
>>    $ vi file1
>>    :diffthis
>>    :vsplit
>>    CTRL+w + right arrow key
>>    :e file2
>>    :diffthis
>>
>> -Ramon
>>
>> On 27/10/2022 00:44, Dale wrote:
>>>   I'd like a GUI tool where I can
>>> click the one I want to keep with my rodent and then save.
> I'd only use vi stuff if I had a gun pointed at me.  Even then, I'd make
> a mess of it.  lol
>
> Dale
>
> :-)  :-)
>

--
GPG public key: 5983 98DA 5F4D A464 38FD CF87 155B E264 13E6 99BF

How about "gvim"?:

https://github.com/vim/vim-win32-installer/releases

-Ramon

On 27/10/2022 09:55, Ramon Fischer wrote:
> You just invented a new torture method. :D
>
> Write down the house rules with standard vim with as less key strokes
> as possible. Every mistake gives you an electric shock.
>
> -Ramon
>
> On 27/10/2022 05:01, Dale wrote:
>> Ramon Fischer wrote:
>>> Do you also use "vim" from time to time?
>>>
>>> Because it is also able to compare two (or more?) files, similiar to
>>> "sdiff":
>>>
>>>     $ vi -d file1 file2
>>>
>>> or:
>>>
>>>     $ vi file1
>>>     :diffthis
>>>     :vsplit
>>>     CTRL+w + right arrow key
>>>     :e file2
>>>     :diffthis
>>>
>>> -Ramon
>>>
>>> On 27/10/2022 00:44, Dale wrote:
>>>>    I'd like a GUI tool where I can
>>>> click the one I want to keep with my rodent and then save.
>> I'd only use vi stuff if I had a gun pointed at me.  Even then, I'd make
>> a mess of it.  lol
>>
>> Dale
>>
>> :-)  :-)
>>
>

--
GPG public key: 5983 98DA 5F4D A464 38FD CF87 155B E264 13E6 99BF