On Sb, 12 dec 20, 22:53:41, Keith Bainbridge wrote: > On 12/12/20 7:29 pm, Andrei POPESCU wrote: > > > AND run sudo as root, for additional safety > > Is this supposed to be ironic? I really can't tell. > > > There was a detailed discussion here about sudo being a security issue > on our systems. It appears to be default in debian 10, so most of us get > it as default. I looked at replacing sudo. > > I found an article that explained how to strengthen it by forcing sudo > to require root password. To my non-native understanding of English "run foo as root" usually means one first gains root privileges (by whatever means) and then runs that program with the elevated privileges. In the context of the text you were replying to it seemed to me you might just be ironic (though admittedly I did also consider you might be referring to the 'targetpw' option in 'sudoers'). > If somebody breaks in, they now need my root password to execute > commands that require root permissions (except a couple that I have > given nopasswd privilege). If a user's normal account is compromised most of what matters is already compromised as well. The root access is just icing on the cake and can be easily obtained with a keylogger (which an attacker would need anyway for the all the other goodies). https://xkcd.com/1200/ Otherwise a probably quite simple 'sudo' script[1] in ~/.local/bin should do the trick as well: present a password prompt, save the password somewhere safe, pretend to fail and then call the real 'sudo'[3]. After all, how many users are calling 'sudo' with the full path? Instead I would suggest admin tasks should be performed from a dedicated *normal* account, using sudo just for those commands that require elevated privileges. This provides some additional security, while also being slightly safer from accidental mistakes than logging in as root directly. [2] which by default is added to $PATH on Debian. [1] If I'm bored enough I might just write such a script myself. [3] and maybe deletes itself to remove traces Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser
Attachment:
signature.asc
Description: PGP signature