[CentOS] Orwell's 1984 from Freedesktop,org?

Fri Jan 23 21:15:00 UTC 2015
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Fri, January 23, 2015 2:31 pm, Valeri Galtsev wrote:
> On Fri, January 23, 2015 2:05 pm, Warren Young wrote:
>> On Jan 23, 2015, at 12:35 PM, Valeri Galtsev <galtsev at kicp.uchicago.edu>
>> wrote:
>>> As a matter of fact I tend to not use GUI admin tools since long ago.
>> Bring back Xconfigurator!
>>> I do prefer 3ware web RAID admin
>>> interface anything else (it more transparently prevents me from making
>>> fatal blunders - probably just me).
>> No, not just you.  tw_cli is needlessly confusing in its command
>> structure.
>> Compare the operation of the ZFS and btrfs command line tools, to see
>> how
>> it should have been done.
>>> And yes, disabling root user and having sudo instead is on my evil list
>>> too: yet another SUID-ed binary, and potential holes due to some
>>> garbage
>>> in config file

>> Given how old and battle tested sudo is, I think we can trust it.
>> My only remaining unease comes from the fact that the sudo binary is
>> about
>> 4x the size of su.
>> Still, I’m glad RH finally made it usable out of the box with EL7.  The
>> default config in prior versions was only usable by root, which made it
>> little other than an alias for su.
>>> BTW, su (with the same password for root as regular user
>>> has), and attempt to use sudo are the fist two things bad guys try when
>>> they log in with stolen password of regular user (after a compromise of
>>> machine elsewhere).
>> So don’t use the password for root or sudo-capable users elsewhere.  If
>> you don’t know for a fact that the connection is secure and the password
>> is securely hashed, use a different password.
> That is exactly what I meant to say to everybody (if you read the rest of
> what I wrote you will realize that I don't make blunders of this
> magnitude!). Thanks for spelling it out in more plain Engish language than
> I managed to ;-)

And after re-reading what you have said I see that I didn't state clearly
enough originally what bad guys do. Of course, your advises stand too.

when some machine is compromised on the network, then:

1. key pairs are getting stoles (so authorized key authentication to other
machines with credentials of a user gets possible wherever this user set

2. keystroke logger is installed and malicious ssh client binary is
installed. Thus triplets: hostname, username, password are getting
collected for all remote machines users connect from compromised machine.

3. After some time (usually 1-2 Months - my observation) information
collected in 1-2 is getting used for the first time. Thus, bad guy will
connect to the machine you administer with credentials of one of your
users. First thing that is being tried is lame admin job: su (with the
same password as the one that was stolen for that user account) and sudo
(in case you gave that user sudo privilege). (and only after that go
attempts of local elevation of privileges using LKM, bugs in SUID-ed
binaries, ....)

That is why admins usually exercise paranoia when they use their almighty
privileges. Have you ever typeed root password in a shell of another user
to do something for him using root privileges? I know one senior admin (I
was junior admin working with him then) who was caught by smart students
because of doing that, so they got root on the machine. But I think this
may be long talk deserving quite different thread. If someone wise (which
I'm not) will start it, I'll see if I can add something too (which I
actually doubt knowing how many awfully knowledgeable people are on this
list ;-)

And, BTW, that is why I run multi-user machines under assumption that bad
guys are already in. Whatever they do, they shouldn't be able to elevate
privileges, or do local user DOS. But, of course, all of us have seen them
already in, and trying...


Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247