On Fri, January 23, 2015 5:37 am, Scott Robbins wrote:> On Thu, Jan 22, 2015 at 09:30:03PM -0600, Valeri Galtsev wrote: >> >> On Thu, January 22, 2015 9:05 pm, Always Learning wrote: >> > >> > On Thu, 2015-01-22 at 21:19 -0500, Bill Maltby (C4B) wrote: >> > >> >> I object to this sort of crap. Hidden, no reason for an *IX desktop >> to >> >> be forced to ignore or deal with this crap. >> >> >> >> >> >> https://www.dropbox.com/s/b2p2ki7t2rwi5ot/FreeDeskTop_Org_Orwell_1984.png?dl=0 >> >> >> > >> > What is going-on ? It really looks Windozed ! Looking at it makes me >> > feel ill. >> > >> Just out of curiosity: how do you guys look at it? This asks me for >> password... In general it is good idea to place something into open URL > > > Originally, packagekit, which is a GUI package manager, wanted to allow > all > users to install anything without a password. When a bug report was > filed, > the developer mentioned that they didn't care how Unix had done things in > the past. This made the front page of slashdot, to almost universal > derision, and RH changed it. In Fedora, I believe it still allows any user > to update an installed signed package without asking for authentication. > > They tried to do that in RH as well, but a bug report was filed, and it > was > changed. > > In my less than humble opinion, this is how it should be. A > non-privileged > user should not be allowed to make changes to the system. >I would second that (or third, or hundredth...). I hate Adobe for putting SUID-ed "plugin-config", thus enabling regular user write where only root can. This crap triggers my system integrity alarms. I always have to remove SUID bit then set immutable bit so the crap doesn't resurrect with their update. In the same list of bad guys comes google with its chrome browser, that drops in daily cron job. Which I have to remove and put placeholder (with immutable bit set), so it doesn't resurrect... Other people have their too lists I bet. As a matter of fact I tend to not use GUI admin tools since long ago. Even on machines I sit in front of as a regular user. I prefer to grab root shell for that. This is, BTW why I prefer plain ASCII text human readable config files, and hate the move towards GUI only based administration. One single case is different for me: I do prefer 3ware web RAID admin interface anything else (it more transparently prevents me from making fatal blunders - probably just me). And yes, disabling root user and having sudo instead is on my evil list too: yet another SUID-ed binary, and potential holes due to some garbage in config file... BTW, su (with the same password for root as regular user has), and attempt to use sudo are the fist two things bad guys try when they log in with stolen password of regular user (after a compromise of machine elsewhere). Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Jan 23, 2015, at 12:35 PM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> As a matter of fact I tend to not use GUI admin tools since long ago.Bring back Xconfigurator!> I do prefer 3ware web RAID admin > interface anything else (it more transparently prevents me from making > fatal blunders - probably just me).No, not just you. tw_cli is needlessly confusing in its command structure. Compare the operation of the ZFS and btrfs command line tools, to see how it should have been done.> And yes, disabling root user and having sudo instead is on my evil list > too: yet another SUID-ed binary, and potential holes due to some garbage > in config file?Given how old and battle tested sudo is, I think we can trust it. My only remaining unease comes from the fact that the sudo binary is about 4x the size of su. Still, I?m glad RH finally made it usable out of the box with EL7. The default config in prior versions was only usable by root, which made it little other than an alias for su.> BTW, su (with the same password for root as regular user > has), and attempt to use sudo are the fist two things bad guys try when > they log in with stolen password of regular user (after a compromise of > machine elsewhere).So don?t use the password for root or sudo-capable users elsewhere. If you don?t know for a fact that the connection is secure and the password is securely hashed, use a different password. Sudo offers many advantages that sudo does not, which counterbalance its risks, IMHO.
On Fri, January 23, 2015 2:05 pm, Warren Young wrote:> On Jan 23, 2015, at 12:35 PM, Valeri Galtsev <galtsev at kicp.uchicago.edu> > wrote: > >> As a matter of fact I tend to not use GUI admin tools since long ago. > > Bring back Xconfigurator! > >> I do prefer 3ware web RAID admin >> interface anything else (it more transparently prevents me from making >> fatal blunders - probably just me). > > No, not just you. tw_cli is needlessly confusing in its command > structure. > > Compare the operation of the ZFS and btrfs command line tools, to see how > it should have been done. > >> And yes, disabling root user and having sudo instead is on my evil list >> too: yet another SUID-ed binary, and potential holes due to some garbage >> in config file> > Given how old and battle tested sudo is, I think we can trust it. > > My only remaining unease comes from the fact that the sudo binary is about > 4x the size of su. > > Still, I?m glad RH finally made it usable out of the box with EL7. The > default config in prior versions was only usable by root, which made it > little other than an alias for su. > >> BTW, su (with the same password for root as regular user >> has), and attempt to use sudo are the fist two things bad guys try when >> they log in with stolen password of regular user (after a compromise of >> machine elsewhere). > > So don?t use the password for root or sudo-capable users elsewhere. If > you don?t know for a fact that the connection is secure and the password > is securely hashed, use a different password.That is exactly what I meant to say to everybody (if you read the rest of what I wrote you will realize that I don't make blunders of this magnitude!). Thanks for spelling it out in more plain Engish language than I managed to ;-) Valeri> > Sudo offers many advantages that sudo does not, which counterbalance its > risks, IMHO.++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 2015-01-23, Warren Young <wyml at etr-usa.com> wrote:> On Jan 23, 2015, at 12:35 PM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote: > >> I do prefer 3ware web RAID admin >> interface anything else (it more transparently prevents me from making >> fatal blunders - probably just me). > > No, not just you. tw_cli is needlessly confusing in its command structure.Just you wait till you get to the MegaRAID command line! It makes tw_cli seem like echo in comparison. I found the 3ware web interface too clunky for my purposes, so I forced myself to learn tw_cli. Once I used it regularly I found it to be mostly usable. I've yet to do this with megacli or storcli, and those are so much more complicated than tw_cli, so I haven't learned them very well yet. But (getting back a little to the original topic) getting to the 3ware web interface should not require root privileges on the client, since it's just the browser connecting to the 3ware http(s) listener. The OP seemed to be ranting about a prompt for an administrative password from the desktop environment. --keith -- kkeller at wombat.san-francisco.ca.us