Re: Unlocking (remote/local), was Re: Help with suid (bash)

To: debian-user@lists.debian.org
Subject: Re: Unlocking (remote/local), was Re: Help with suid (bash)
From: David Wright <deblis@lionunicorn.co.uk>
Date: Wed, 11 May 2022 11:07:09 -0500
Message-id: <[🔎] YnvfLV95rehOxrYV@axis.corp>
Reply-to: debian-user@lists.debian.org
In-reply-to: <[🔎] YntEK2cKyIvKR9V1@tuxteam.de>
References: <[🔎] 202205100750.18645.rhkramer@gmail.com> <[🔎] 20220510082100.1aebbee2@jhegaala.localdomain> <[🔎] YnqN99ZJChEXctnt@axis.corp> <[🔎] 20220510171225.5d3dd5d6@ideapc> <[🔎] YnsopAchZEjJ+9HD@axis.corp> <[🔎] YntEK2cKyIvKR9V1@tuxteam.de>

On Wed 11 May 2022 at 07:05:47 (+0200), tomas@tuxteam.de wrote:
> On Tue, May 10, 2022 at 10:08:20PM -0500, David Wright wrote:
> > On Tue 10 May 2022 at 17:12:25 (-0600), Charles Curley wrote:
> 
> [...]
> 
> > IOW, though logging in to root by password is ok at the console,
> > it's not ok when remote. ➀
> 
> I assume you know all that you can set "PermitRootLogin yes" in
> your /etc/ssh/sshd_config (the default is "prohibit-password",
> which fits the behaviour you are describing).
> 
> It's not recommended, (for good reasons!), but hey, it's your box,
> and you decide what you deem to be "secure enough". After all,
> security is context-dependent, and the worst antipattern is to
> misuse tech to force people to follow some nonsensical rituals
> (it happens far too often, alas, but OpenSSH isn't that sort of
> software).
> 
> So you can change that, if you wish so. What's your point?

Well, Charles seemed to have difficulty with understanding my first
paragraph, which I wrote merely to explain that I assume a root
password has been set. It seems odd to get three follow-ups, all of
which centre on the consequences of the ssh configuration chosen
by the Debian developers for a bullseye installation.

When you write a script to unlock and mount a partition, you can
do it in two lines:

# udisksctl unlock --block-device /dev/foo
# mount /dev/bar /baz

but that's useless as it stands, and needs to be embedded into
your ecosystem to be useful, which is why I posted my script,
a real example.

But after two posts about background information on setuid shell
scripts, you now write "the worst antipattern is to misuse tech
to force people to follow some nonsensical rituals". Strong words.

Perhaps you could elaborate on which specific rituals you find
offensive. I can't work out whether you're criticising my script,
or the Debian developers for the way they're now choosing to
configure ssh, or the linux kernel developers for the ban on
setuid shell scripts.

Cheers,
David.

Reply to:

Follow-Ups:
- Re: Unlocking (remote/local), was Re: Help with suid (bash)
  - From: <tomas@tuxteam.de>

References:
- Help with suid (bash)
  - From: rhkramer@gmail.com
- Re: Help with suid (bash)
  - From: Charles Curley <charlescurley@charlescurley.com>
- Unlocking (remote/local), was Re: Help with suid (bash)
  - From: David Wright <deblis@lionunicorn.co.uk>
- Re: Unlocking (remote/local), was Re: Help with suid (bash)
  - From: Charles Curley <charlescurley@charlescurley.com>
- Re: Unlocking (remote/local), was Re: Help with suid (bash)
  - From: David Wright <deblis@lionunicorn.co.uk>
- Re: Unlocking (remote/local), was Re: Help with suid (bash)
  - From: <tomas@tuxteam.de>

Prev by Date: Re: google account say it will no longer deliver email
Next by Date: Re: Installation fails to recognize SSD
Previous by thread: Re: Unlocking (remote/local), was Re: Help with suid (bash)
Next by thread: Re: Unlocking (remote/local), was Re: Help with suid (bash)
Index(es):
- Date
- Thread