Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
It also reinforces the importance of the so-called "Principle of Least Privilege."
Which is to say that – and this is true of every operating system – "the account that you use every day" must not be "an Administrator." (In Linux, this means: "a member of the wheel group.") Windows ... MacOS (OS/X) ... mainframe ... doesn't matter.
If anyone or anything that is operating under your credentials "runs into a nearby phone booth," it should not be capable of flying out of it wearing ugly blue tights. It should be operating in a "home directory" that isn't accessible to other users of the same system, and it shouldn't be able to snoop into anyone else's home – let alone have write access to it. It cannot issue the sudo su command, because it is not required to.
Do not give yourself any more access to your system than you require when exercising the tasks which you have associated with that particular login account. (After all, you can have as many accounts as you please.) Don't allow anyone else access to "your stuff" except to the extent that a specific other user-id requires it.
By voluntarily limiting "your" access to "your" system based on need to know or do, you immediately make your system far more secure ... and it really isn't that "inconvenient" once you get used to it. "Be Jimmy Olsen, not Clark Kent."
Beyond that – find a good continuous backup system, and use it 100% of the time.
Last edited by sundialsvcs; 02-16-2022 at 01:44 PM.
It also reinforces the importance of the so-called "Principle of Least Privilege."
Which is to say that – and this is true of every operating system – "the account that you use every day" must not be "an Administrator." (In Linux, this means: "a member of the wheel group.") Windows ... MacOS (OS/X) ... mainframe ... doesn't matter.
Yes it does. That is not true of every system.
I'm a member of the wheel group but can't invoke root commands from my usr account:
Code:
jitte@unmei:~ $ groups
jitte wheel operator
jitte@unmei:~ $ whoami
jitte
jitte@unmei:~ $ freebsd-update fetch
freebsd-update: Directory does not exist or is not writable: /var/db/freebsd-update
jitte@unmei:~ $ su
Password:
root@unmei:/home/jitte # cd /
root@unmei:/ # freebsd-update fetch
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 13.0-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.
No updates needed to update system to 13.0-RELEASE-p7.
root@unmei:/ #
The question is whether you can enter the command: sudo su, then enter your own password, and wind up with a "#" prompt . . .
There should be only one user-id on any system, IMHO, which is capable of doing that.
As I've said here before, "your computer is just too damned stupid to know when it should say 'yes!'" But it's extremely good at saying 'no!' Leverage that idea to your full advantage, and also be sure that your "all-powerful user" is named (say ...)freddie. It really isn't "inconvenient" after all ...
Last edited by sundialsvcs; 02-26-2022 at 12:26 PM.
You were right all along and I was wrong from the start.
Hear that often? Hmmm?
My Gehirndose full of toxins, shutdown progressing, Dave
Quote:
Originally Posted by sundialsvcs
The question is whether you can enter the command: sudo su, then enter your own password, and wind up with a "#" prompt . . .
I had never used sudo till a few years when I tested TrueOS, DandyOS or whatever they called it that week.
On FreeBSD I always su to root in a terminal, work as root from that terminal and log out to my usr account when done.
I've never installed sudo or doas and am very comfortable working as root, but do not log in as root or run as r00t after my work s done.
Kali has sudo and I don't use the root account on it.
Quote:
Originally Posted by sundialsvcs
There should be only one user-id on any system, IMHO, which is capable of doing that.
As I've said here before, "your computer is just too damned stupid to know when it should say 'yes!'" But it's extremely good at saying 'no!' Leverage that idea to your full advantage, and also be sure that your "all-powerful user" is named (say ...)freddie. It really isn't "inconvenient" after all ...
I bend the machine to my will and it does things my way. Which in many ways is not the standard way things are done by everyone else, the Handbook not a factor when I figured it out. I've never looked at fstab for one thing.
It has certainly not escaped my attention that "other Unix®/Linux based systems that I regularly frequent," namely MacOS/OSX, no longer permit even "the root user" unfettered privileges.
Instead, just like "UEFI," they now require a first-action that is physical, therefore distinctly human. Without this, even "the root user" is now "fettered." And, "I agree with this."
Last edited by sundialsvcs; 03-01-2022 at 08:53 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.