From owner-freebsd-security@FreeBSD.ORG Thu Jul 21 20:04:00 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5FB9E16A432 for ; Thu, 21 Jul 2005 20:04:00 +0000 (GMT) (envelope-from smajor@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id A6F7643D88 for ; Thu, 21 Jul 2005 20:03:42 +0000 (GMT) (envelope-from smajor@gmail.com) Received: by rproxy.gmail.com with SMTP id r35so57164rna for ; Thu, 21 Jul 2005 13:03:40 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:x-pgp-universal:to:subject:date:mime-version:x-mailer:thread-index:x-mimeole:x-content-pgp-universal-saved-content-transfer-encoding:x-content-pgp-universal-saved-content-type:content-transfer-encoding:content-type:from:message-id; b=r+82rm8Wj+4Zghh3cMvpw4Eb9r4fLx0+Z3VvR1vjDTqUAo1mqXJJGU+eVxsRTEVtc1G9TclBGjnxYSIZczhGX7rr/gwfM7uW0rDcLSOG17wQgE4qqZlEhSiX+eDm0tVCxjecW313gPDQP534YC7ncYuNuQeTj3+Lh7sVT+4G2e4= Received: by 10.38.161.48 with SMTP id j48mr93798rne; Thu, 21 Jul 2005 12:57:28 -0700 (PDT) Received: from p3 ([10.254.2.231]) by mx.gmail.com with ESMTP id c3sm1394036rne.2005.07.21.12.56.36; Thu, 21 Jul 2005 12:56:37 -0700 (PDT) Received: from p3 by p3 (PGP Universal service); Thu, 21 Jul 2005 12:56:37 -0800 X-PGP-Universal: processed; by p3 on Thu, 21 Jul 2005 12:56:37 -0800 To: Date: Thu, 21 Jul 2005 12:56:35 -0700 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcWOLIt/yMxOw4UgSteQzoHNRA/7+QAAKeFA X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 X-Content-PGP-Universal-Saved-Content-Transfer-Encoding: 7bit X-Content-PGP-Universal-Saved-Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii" From: Stephen Major Message-ID: <42dffdf5.3cc8b1ad.3d8c.315f@mx.gmail.com> Subject: FW: FW: FW: FW: Adding OpenBSD sudo to the FreeBSD base system? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2005 20:04:00 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 "All you need to do is uncomment that and viola, you have default su behavior -- anyone in the wheel group allowed to sudo as any other user." Exactly! Every other user can sudo. I run many shell servers I do not want every user being able to sudo. With su, first they have to break into an account that is part of the wheel group. Then they have to get past your root password. You cannot configure sudo to fit everyone's needs. So replacing su Just makes it so the rest of us have to configure it just because you do not want to take 10 minutes and install the port. Then again some people have brought to the table the security flaws found in sudo. What makes it so hard that you cannot install sudo from ports? I will even make you a quick shell script that will do it for you. - -----Original Message----- From: asym [mailto:bsdlists@rfnj.org] Sent: Thursday, July 21, 2005 12:45 PM To: Stephen Major; freebsd-security@freebsd.org Subject: Re: FW: FW: FW: Adding OpenBSD sudo to the FreeBSD base system? At 15:15 7/21/2005, Stephen Major wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA512 > >http://www.freshports.org/security/sudo/ > > >there it is in the ports tree do your research before saying that my claim >is baseless The claim that you'd have to do any configuring at all is "baseless." >And stop before you come back with saying you have to configure it. >Because that is exactly my point I do not have to configure anything to use >su. > >And no you could not make sudo "out of the box" ready, for everyone's >application. Otherwise the default configs would already be that way when >you installed it from ports. Try logic here rather than just spouting the first thing that comes to mind. It can be duplicated. Exactly. The port contains the following line in the default sudoers(5) file: # %wheel ALL = (ALL) ALL All you need to do is uncomment that and viola, you have default su behavior -- anyone in the wheel group allowed to sudo as any other user. The only difference is it asks for their password instead of the root password, which is how sudo works, the entire point some (including myself) might say. >I only want 2 users on my system to be in the wheel group and su to full >root. > >But the next guy might want sudo and be able to give limited access to to >several "sub-admins" Perhaps, but guess what? sudo gives that opportunity, su does not. Coupled with the fact that sudo can be configured (and should be by default, if in the base system) to allow wheel to function as it does for su, and I say again: your concerns in this regard are entirely baseless. >- From my perspective su is more secure than sudo in the fact that an idiot >admin cannot screw it up. Unless they set some dumb root password for >example: 1234admin There is no security against idiocy. If you make combine "idiot" and "admin" in your environment, and make an "idiot admin" shame on you, not shame on sudo. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.1 (Build 2185) iQEVAwUBQt/99aKXvLS903/FAQqf8Af/bc7rFdiuvLfF58j5HzJuVbta7ItLB9mb IA5jz1NJLKBnwZSYdGbgn0RpmwYbyxsHjIogO2JnKpMj0GyClBRX1l3HuAthWtbz bnk8apFzYdCrokSmkPLshG+mhGV3OcQZezwz1OcY1AykoRmieDcpMXHIcQh9v3yG kJlwbjF2GcCJD9GEfU3m6InmdsgI3zeHSRNh5FT6phcCiULR7x/T00V5Xr+ksgMt 9apUODZj4zK08BpPIvkKLRUwsGPPVpsP2uU2nk1o2NIY+8APe2CVJpz8+UuERinv q8fVXs/3zCGhmN8VelgvBCQap4kFuxGaDw8qYuySX2CJv8Nn8GjC5Q== =FpOi -----END PGP SIGNATURE-----