Putty for SSH access
in [Linux Networking]
|
Prev: CASH FOR CISCO - I BUY USED AND NEW EQUIPMENT & LOTS MORE
Next: BIND config tool + How do I select between chroot and no chroot?
From: Roy Smith on 16 Jul 2010 20:06 In article <8e76h7x6ni.ln2(a)goaway.wombat.san-francisco.ca.us>, Keith Keller <kkeller-usenet(a)wombat.san-francisco.ca.us> wrote: > As always, what is a "safer" approach depends wildly on the particular > situation. Both su and sudo will log logins, but only sudo will log > actual commands executed (unless you do sudo su or similar which gets > you a root shell). Funny story about that. Where I work, all the developers have root access on all the dev boxes (we need it for testing the software we develop). In the old days, sudo was set up to only require you to type your password once, and then if you did sudo again with N minutes, it let you in without demanding the password again. Very handy. At some point, some new manager droid took over running the sysadmin group. She decided the above arrangement was "insecure" and had sudo reconfigured to require you to type your password every time. It took about a day for the developers to get annoyed at how inconvenient this was and figure out that you could just do "sudo bash". Moral -- most people are willing to do the right thing, as long as it's not terribly inconvenient.
From: Keith Keller on 16 Jul 2010 23:58 On 2010-07-17, Roy Smith <roy(a)panix.com> wrote: > > At some point, some new manager droid took over running the sysadmin > group. She decided the above arrangement was "insecure" and had sudo > reconfigured to require you to type your password every time. It took > about a day for the developers to get annoyed at how inconvenient this > was and figure out that you could just do "sudo bash". That manager wasn't very bright if she overlooked this obvious hole in her security plan! --keith -- kkeller-usenet(a)wombat.san-francisco.ca.us (try just my userid to email me) AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt see X- headers for PGP signature information
From: Marc Haber on 17 Jul 2010 04:38 Roy Smith <roy(a)panix.com> wrote: >Funny story about that. Where I work, all the developers have root >access on all the dev boxes (we need it for testing the software we >develop). In the old days, sudo was set up to only require you to type >your password once, and then if you did sudo again with N minutes, it >let you in without demanding the password again. Very handy. > >At some point, some new manager droid took over running the sysadmin >group. She decided the above arrangement was "insecure" and had sudo >reconfigured to require you to type your password every time. It took >about a day for the developers to get annoyed at how inconvenient this >was and figure out that you could just do "sudo bash". btdt. I let this run for a week, and then showed the manager droid the logs from before and after the change. He finally saw the light and we could return to the better setup. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
From: Bonno Bloksma on 18 Jul 2010 06:58
Hi, >> At some point, some new manager droid took over running the sysadmin >> group. She decided the above arrangement was "insecure" and had sudo >> reconfigured to require you to type your password every time. It took >> about a day for the developers to get annoyed at how inconvenient this >> was and figure out that you could just do "sudo bash". > > That manager wasn't very bright if she overlooked this obvious hole in > her security plan! It is always easy to see "the obvious hole" afterwards after someone else finds it. I think the point was don't make it to hard or people will start looking for loopholes. Proper security would have us change the accounts passwords at our company every 1 to 2 months. We allready have different passwords for Network logon, Website logon and Mail logon and people are to change the passwords twice a year. Allready they are complaining and only because some detection rules for making sure the new password does not look to similar to the old has kept people from creating password templates. If we were to "increase" security by making people change their password evenry 1-2 months like our auditors would like us do I am sure security would DROP like a rock in stead of increase. You have to find the balance for what is incovenient but usable and what is to big a hurdle so people will start looking for a way around. And 100+ people looking for a way around will come up with more holes then one security specialst can plug. :-( Bonno Bloksma |