Notices


Reply
Thread Tools
qole's Avatar
Moderator | Posts: 7,109 | Thanked: 8,820 times | Joined on Oct 2007 @ Vancouver, BC, Canada
#81
Originally Posted by Benson View Post
Add this line
Code:
user ALL = NOPASSWD: ALL
at the end, and now the user "user", logged in on any machine, can execute any command without authentication.
Ok, so that's just a bit scary. Is there any way to add specific commands? But, since the command I want to add is "chroot" that really isn't any more secure, except in a security-through-obscurity way...
__________________
qole.org --- twitter --- Easy Debian wiki page
Please don't send me a private message, post to the appropriate thread.
Thank you all for your donations!
 
Benson's Avatar
Posts: 4,930 | Thanked: 2,272 times | Joined on Oct 2007
#82
That was my thought... You can protect it so you can only chroot some particular place. If you had a particular place tighter than, say, an iPhone's chroot jail, that might make sense. If you've got something like this, designed for utility over security, anyone getting chrooted in without rather immediate dropping of permissions owns your system. (And there's a decent chance, without further attention paid, that they still could.)

But if you'd rather, yes you can do something like:
Code:
user ALL = NOPASSWD: /usr/sbin/chroot /opt *
You can also set it to require either root's password or the user's password (the latter is so you don't get baggy-pantsed, and is typical for sudo, especially on a single-user system.), if you think that's more appropriate.
 

The Following 2 Users Say Thank You to Benson For This Useful Post:
qole's Avatar
Moderator | Posts: 7,109 | Thanked: 8,820 times | Joined on Oct 2007 @ Vancouver, BC, Canada
#83
Thanks for being so helpful, but I'm just being silly since I am using certificates on SSH so anyone can walk up to my N800, open a terminal, and type* "ssh root@localhost" and proceed to do something nasty. So what's one more hole in a block of Swiss cheese?

With a handheld device, the best security is keeping it close.

*slowly peck out with a stylus while hunched over the device
__________________
qole.org --- twitter --- Easy Debian wiki page
Please don't send me a private message, post to the appropriate thread.
Thank you all for your donations!
 
Benson's Avatar
Posts: 4,930 | Thanked: 2,272 times | Joined on Oct 2007
#84
Indeed; my tablet has keys to access my desktop with no password. I consider "from my cold, dead hands" a sufficient security policy for a device of this class.

If you'd rather not have it quite that easy, you could lock that down by generating keys with pass-phrases. But why bother?
 
ldrn's Avatar
Posts: 201 | Thanked: 88 times | Joined on Aug 2007 @ San Francisco, CA
#85
Thanks for that tip! I now have sudo set to ask for the user's password and use passphrases for all my keys... I don't know if I am just too paranoid or a sucker for punishment.

I don't have it ask for a password when you log in, though. I am security lax; my password and passphrase are not even all that different.
 
Posts: 25 | Thanked: 1 time | Joined on Apr 2008
#86
Yeah I don't think I could ever do this, I'm way way too paranoid. Ever since I saw my friend's computer get hacked and left blasting music all day until we came back from school, I don't mess around. Also, I was able to circumvent a lot of security (during my naive days of course) so I've trained myself to enhance never decrease my security policies.
 
Benson's Avatar
Posts: 4,930 | Thanked: 2,272 times | Joined on Oct 2007
#87
If you run no externally accessible services (or lock them down sufficiently), then console access is required. If it's in your pocket, console access is pretty strictly limited.

(And, with console access and any net connection, an attacker can install gainroot and use it... so it really doesn't matter.)
 
qole's Avatar
Moderator | Posts: 7,109 | Thanked: 8,820 times | Joined on Oct 2007 @ Vancouver, BC, Canada
#88
It turns out that something that I installed on my tablet had already done the sudoers thing; when I went to edit it, it was already there. I suspect it was KDE or Personal Menu.

And yes,
Code:
sudo debian hilda openoffice
"works well" in a miata-pulling-fifth-wheeler sort of way. Thanks for the tip.
__________________
qole.org --- twitter --- Easy Debian wiki page
Please don't send me a private message, post to the appropriate thread.
Thank you all for your donations!

Last edited by qole; 2008-05-20 at 01:11.
 
Posts: 156 | Thanked: 44 times | Joined on Dec 2007
#89
These files are in the tarball:
Code:
./var/lib/bluetooth/00:19:4F:DA:FA:28/
./var/lib/bluetooth/00:19:4F:DA:FA:28/names
./var/lib/bluetooth/00:19:4F:DA:FA:28/linkkeys
./var/lib/bluetooth/00:19:4F:DA:FA:28/manufacturers
./var/lib/bluetooth/00:19:4F:DA:FA:28/features
./var/lib/bluetooth/00:19:4F:DA:FA:28/lastseen
./var/lib/bluetooth/00:19:4F:DA:FA:28/sdp
./var/lib/bluetooth/00:19:4F:DA:FA:28/config
./var/lib/bluetooth/00:19:4F:DA:FA:28/lastused
./var/lib/bluetooth/00:19:4F:DA:FA:28/audio
./var/lib/bluetooth/00:19:4F:DA:FA:28/classes
 
Reply

Thread Tools

 
Forum Jump


All times are GMT. The time now is 04:31.