[arch-general] Tired of being asked for a password for "su"? Arch has the solution
Guys, Working through the setup of my new server, I rad across a wonderful hidden time-saver in /etc/pam.d/su. If you have configured sudo in the normal way by providing sudo access to members of the 'wheel' group, you can avoid having to type the root password to 'su' by uncommenting the following line in /etc/pam.d/su: auth sufficient pam_wheel.so trust use_uid As the comment says, the entry causes pam to implicitly trust members of the wheel group. Eliminating the need to type a 14 char pw 10 times a day is a time-saver. My only concern is how secure it is to allow pam to do this? I'd welcome any thoughts by those that understand whether this causes a concern. Thanks and thanks to whoever put this little gem in /etc/pam.d/su -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com
On Monday 01 of March 2010 20:58, David C. Rankin wrote:
Guys,
Working through the setup of my new server, I rad across a wonderful hidden time-saver in /etc/pam.d/su. If you have configured sudo in the normal way by providing sudo access to members of the 'wheel' group, you can avoid having to type the root password to 'su' by uncommenting the following line in /etc/pam.d/su:
<snip> In my own personal opinion, su shouldn't be passwordless. You can use sudo -i combined with NOPASSWD in sudoers instead. After all, you have sudo installed, and you are giving someone instant access . -- Real programmers don't document. If it was hard to write, it should be hard to understand.
On 03/01/2010 07:58 PM, David C. Rankin wrote:
As the comment says, the entry causes pam to implicitly trust members of the wheel group. Eliminating the need to type a 14 char pw 10 times a day is a time-saver.
PAM itself should be pretty secure, but what you are trying to achieve isn't. There is a reason behind that password prompt. You don't want anyone who gains access to your account (daemons, scripts, ...) to have root access right away without ever asking for a password. If you don't want to type yours that often use sudo -s. -- Florian Pritz -- {flo,bluewind}@server-speed.net
On 03/01/2010 01:14 PM, Florian Pritz wrote:
On 03/01/2010 07:58 PM, David C. Rankin wrote:
As the comment says, the entry causes pam to implicitly trust members of the wheel group. Eliminating the need to type a 14 char pw 10 times a day is a time-saver.
PAM itself should be pretty secure, but what you are trying to achieve isn't. There is a reason behind that password prompt. You don't want anyone who gains access to your account (daemons, scripts, ...) to have root access right away without ever asking for a password. If you don't want to type yours that often use sudo -s.
Ed, Florian, Thank you for your insight. I guess I should have also included the fact that the box in question sits in my home-office and physical security isn't an issue. Also, there is only one member of the wheel group -- me. Thinking through the threat scenario, as long as pam is doing its job and only allowing members of the wheel group to su without a password, that limits vulnerability to (1) a pam exploit or (2) privilege escalation by a user to become a member of the wheel group. I see it as pretty minimal, but I guess a good compromise is to revert to a password when then machine goes online, but to enjoy the convenience while I'm setting the box up while it doesn't have any access from the outside. It worries me to think about the possible security implications, but the lazy side of me sure does like the convenience :p -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com
On Mon, Mar 1, 2010 at 17:58, David C. Rankin <drankinatty@suddenlinkmail.com> wrote:
It worries me to think about the possible security implications, but the lazy side of me sure does like the convenience :p
It's also a bigger issue if you use ssh or a vpn where you could potentially be getting connections from other places.
On Mon, Mar 1, 2010 at 5:58 PM, David C. Rankin <drankinatty@suddenlinkmail.com> wrote:
On 03/01/2010 01:14 PM, Florian Pritz wrote:
On 03/01/2010 07:58 PM, David C. Rankin wrote:
As the comment says, the entry causes pam to implicitly trust members of the wheel group. Eliminating the need to type a 14 char pw 10 times a day is a time-saver.
PAM itself should be pretty secure, but what you are trying to achieve isn't. There is a reason behind that password prompt. You don't want anyone who gains access to your account (daemons, scripts, ...) to have root access right away without ever asking for a password. If you don't want to type yours that often use sudo -s.
Ed, Florian,
Thank you for your insight. I guess I should have also included the fact that the box in question sits in my home-office and physical security isn't an issue. Also, there is only one member of the wheel group -- me.
Thinking through the threat scenario, as long as pam is doing its job and only allowing members of the wheel group to su without a password, that limits vulnerability to (1) a pam exploit or (2) privilege escalation by a user to become a member of the wheel group. I see it as pretty minimal, but I guess a good compromise is to revert to a password when then machine goes online, but to enjoy the convenience while I'm setting the box up while it doesn't have any access from the outside.
It worries me to think about the possible security implications, but the lazy side of me sure does like the convenience :p
What would worry me is things like JavaScript exploits and worms - things that you download and then run as yourself, whether intentionally or not. A password prompt will block malware like that, but with no password, you just go owned in one step.
On 03/01/2010 05:03 PM, Ray Kohler wrote:
On Mon, Mar 1, 2010 at 5:58 PM, David C. Rankin <drankinatty@suddenlinkmail.com> wrote:
On 03/01/2010 01:14 PM, Florian Pritz wrote:
On 03/01/2010 07:58 PM, David C. Rankin wrote:
As the comment says, the entry causes pam to implicitly trust members of the wheel group. Eliminating the need to type a 14 char pw 10 times a day is a time-saver.
PAM itself should be pretty secure, but what you are trying to achieve isn't. There is a reason behind that password prompt. You don't want anyone who gains access to your account (daemons, scripts, ...) to have root access right away without ever asking for a password. If you don't want to type yours that often use sudo -s.
Ed, Florian,
Thank you for your insight. I guess I should have also included the fact that the box in question sits in my home-office and physical security isn't an issue. Also, there is only one member of the wheel group -- me.
Thinking through the threat scenario, as long as pam is doing its job and only allowing members of the wheel group to su without a password, that limits vulnerability to (1) a pam exploit or (2) privilege escalation by a user to become a member of the wheel group. I see it as pretty minimal, but I guess a good compromise is to revert to a password when then machine goes online, but to enjoy the convenience while I'm setting the box up while it doesn't have any access from the outside.
It worries me to think about the possible security implications, but the lazy side of me sure does like the convenience :p
What would worry me is things like JavaScript exploits and worms - things that you download and then run as yourself, whether intentionally or not. A password prompt will block malware like that, but with no password, you just go owned in one step.
That's what my limited understanding was missing! Good info Ray. When the box goes on-line the comment goes back in /etc/pam.d/su. Thank you for the info I needed. Now why would somebody put that commented ability in ../pam.d/su? Probably for just the exact reasons we have discussed in the thread. Learning has occurred, it's been a good day... -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com
On 03/01/2010 05:03 PM, Ray Kohler wrote:
What would worry me is things like JavaScript exploits and worms - things that you download and then run as yourself, whether intentionally or not. A password prompt will block malware like that, but with no password, you just go owned in one step.
How would this be any different than 'sudo' configured to allow members of the wheel group to sudo w/o a password? Same answer - data prevails - set sudo to require a password? I have run servers for more than a decade with sudo/wheel group access enabled w/o a password - no problems. May have just been lucky :p Ray, all - any different thoughts about sudo w/o a password compared to su? Or same answer, with no password, you just got owned in one step :p -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com
On Tue, Mar 2, 2010 at 9:24 PM, David C. Rankin <drankinatty@suddenlinkmail.com> wrote:
On 03/01/2010 05:03 PM, Ray Kohler wrote:
What would worry me is things like JavaScript exploits and worms - things that you download and then run as yourself, whether intentionally or not. A password prompt will block malware like that, but with no password, you just go owned in one step.
How would this be any different than 'sudo' configured to allow members of the wheel group to sudo w/o a password?
Same answer - data prevails - set sudo to require a password? I have run servers for more than a decade with sudo/wheel group access enabled w/o a password - no problems. May have just been lucky :p
Ray, all - any different thoughts about sudo w/o a password compared to su? Or same answer, with no password, you just got owned in one step :p
Yes, same answer, you get owned. In fact, even with a password required, the "5 minute grace window" for sudo does you in - some bad guy just keeps trying to sudo, until you do it legitimately, thereby allowing it freely for 5 minutes, and then he's got root. What I actually do, myself, is to not install sudo at all, and just use su. I also uncomment the pam line that requires wheel membership to su. In order to make su be a little more comfortable, I do this: alias su='su -m' sr () { /bin/su -m -c "$*" } I only recommend doing away with sudo if you're the only person who has root on the machine. For multiple users needing such access, sudo's fine-grained controls are well worth it, and prevent you from having to hand out the root password every time it gets changed.
Yes, same answer, you get owned. In fact, even with a password required, the "5 minute grace window" for sudo does you in - some bad guy just keeps trying to sudo, until you do it legitimately, thereby allowing it freely for 5 minutes, and then he's got root.
Isn't it possible to lock that to specific consoles with "Defaults tty_tickets" in /etc/sudoers ? I guess that with the 5 min. grace window will give a good balance between annoyance and security.
On Wed, Mar 3, 2010 at 9:06 AM, Mauro Santos <registo.mailling@gmail.com> wrote:
Yes, same answer, you get owned. In fact, even with a password required, the "5 minute grace window" for sudo does you in - some bad guy just keeps trying to sudo, until you do it legitimately, thereby allowing it freely for 5 minutes, and then he's got root.
Isn't it possible to lock that to specific consoles with "Defaults tty_tickets" in /etc/sudoers ? I guess that with the 5 min. grace window will give a good balance between annoyance and security.
That's a nice feature, but there's still a hole in it. Consider the case where you run sudo, close the window, and within the next 5 minutes something else allocates a PTY. It's likely to get the one you just closed, with your ticket still good for it.
On 03/02/2010 08:40 PM, Ray Kohler wrote:
On Tue, Mar 2, 2010 at 9:24 PM, David C. Rankin <drankinatty@suddenlinkmail.com> wrote:
On 03/01/2010 05:03 PM, Ray Kohler wrote:
What would worry me is things like JavaScript exploits and worms - things that you download and then run as yourself, whether intentionally or not. A password prompt will block malware like that, but with no password, you just go owned in one step.
How would this be any different than 'sudo' configured to allow members of the wheel group to sudo w/o a password?
Same answer - data prevails - set sudo to require a password? I have run servers for more than a decade with sudo/wheel group access enabled w/o a password - no problems. May have just been lucky :p
Ray, all - any different thoughts about sudo w/o a password compared to su? Or same answer, with no password, you just got owned in one step :p
Yes, same answer, you get owned. In fact, even with a password required, the "5 minute grace window" for sudo does you in - some bad guy just keeps trying to sudo, until you do it legitimately, thereby allowing it freely for 5 minutes, and then he's got root.
What I actually do, myself, is to not install sudo at all, and just use su. I also uncomment the pam line that requires wheel membership to su. In order to make su be a little more comfortable, I do this:
alias su='su -m'
sr () { /bin/su -m -c "$*" }
I only recommend doing away with sudo if you're the only person who has root on the machine. For multiple users needing such access, sudo's fine-grained controls are well worth it, and prevent you from having to hand out the root password every time it gets changed.
Again, thank you Ray! Thankfully, all my boxes are one root user (me) boxes. So I guess I'm really trying to save me from myself. I did uncomment the pam require wheel auth to limit any possible su/sudo access to require members of the wheel group. Interesting discussion, I've learned a bit more. -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com
On Tue, 02 Mar 2010 20:24:20 -0600 "David C. Rankin" <drankinatty@suddenlinkmail.com> wrote:
On 03/01/2010 05:03 PM, Ray Kohler wrote:
What would worry me is things like JavaScript exploits and worms - things that you download and then run as yourself, whether intentionally or not. A password prompt will block malware like that, but with no password, you just go owned in one step.
How would this be any different than 'sudo' configured to allow members of the wheel group to sudo w/o a password?
Same answer - data prevails - set sudo to require a password? I have run servers for more than a decade with sudo/wheel group access enabled w/o a password - no problems. May have just been lucky :p
Ray, all - any different thoughts about sudo w/o a password compared to su? Or same answer, with no password, you just got owned in one step :p
sudo can be limited to only certain commands also. IMO su should remain as secure as possible and sudo should be customised for the situation.
On 03/03/2010, Ty John <ty-ml@eye-of-odin.com> wrote:
On Tue, 02 Mar 2010 20:24:20 -0600 "David C. Rankin" <drankinatty@suddenlinkmail.com> wrote:
On 03/01/2010 05:03 PM, Ray Kohler wrote:
What would worry me is things like JavaScript exploits and worms - things that you download and then run as yourself, whether intentionally or not. A password prompt will block malware like that, but with no password, you just go owned in one step.
How would this be any different than 'sudo' configured to allow members of the wheel group to sudo w/o a password?
Same answer - data prevails - set sudo to require a password? I have run servers for more than a decade with sudo/wheel group access enabled w/o a password - no problems. May have just been lucky :p
Ray, all - any different thoughts about sudo w/o a password compared to su? Or same answer, with no password, you just got owned in one step :p
sudo can be limited to only certain commands also. IMO su should remain as secure as possible and sudo should be customised for the situation.
It's all a moot point. If you want to talk about "things that you run yourself", then su/sudo does nothing to help you in any way. Most of the su/sudo thing derived from *NIX machines being academic remote systems accessed by more than one person, and not a single-user desktop which could be attacked and infected by the user's own epic failures. http://www.geekzone.co.nz/foobar/6229 -- GPG/PGP ID: B42DDCAD
On Mon, Mar 01, 2010 at 11:58:47PM +0100, David C. Rankin wrote: <snip>
It worries me to think about the possible security implications, but the lazy side of me sure does like the convenience :p
Did you really think you will get the answer you are looking for here on the list? :) I'm lazy too, but I value my data more, I will never do this. But of course, I'm not in charge of your machine. Feel free to use the best solution for you, that's what freedom is about. Why do you seek for confirmation from some strangers? Cheers, Jaroslav -- In youth, it was a way I had To do my best to please, And change, with every passing lad, To suit his theories. But now I know the things I know, And do the things I do; And if you do not like me so, To hell, my love, with you! -- Dorothy Parker, "Indian Summer"
participants (9)
-
Daenyth Blank
-
David C. Rankin
-
Ed Jobs
-
Florian Pritz
-
Jaroslav Lichtblau
-
Mauro Santos
-
Ray Kohler
-
Ray Rashif
-
Ty John