pyratelog

personal blog
git clone git://git.pyratebeard.net/pyratelog.git
Log | Files | Refs | README

commit e02432d67560940157de4f803bee58e4bfe220c7
parent 581b110a221965f4d062bf722a69f26bad5df3ad
Author: pyratebeard <root@pyratebeard.net>
Date:   Mon, 29 Jan 2024 21:23:42 +0000

god_complex

Diffstat:
Mentry/god_complex.md | 11++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/entry/god_complex.md b/entry/god_complex.md @@ -4,7 +4,7 @@ As a seasoned sysadmin I get paid to go into clients and complain about how poor One of my main vexations is incorrect, or more likely non-existent, configuration of `sudo`. I am constantly trying to stop the use of `ALL=(ALL) ALL` and instead make use of the powerful control the _sudoers_ config provides (or stop people logging in when they have no reason to). -I, on the other hand, am GOD! So I switch to the root user to do most, if not all, of my work when on a remote system. I am a hypocrite. +I, on the other hand, am GOD! So I switch to the root user to do most, if not all of my work when on a remote system. I am a hypocrite. I do try to use `sudo` as I preach, and if configured correctly it works. Unfortunately most places I work are still not there yet, so in order to do get any work done, root I must become. @@ -12,9 +12,9 @@ On my own systems none of this is a problem. I have my user account, which has That is until I stumbled across an article by Dmitry Khlebnikov, [Should we use "sudo" for day-to-day activities?][1]. -Dmitry argues that the use of `sudo` is no longer a requirement on a correctly secured and managed system, adding that it may in fact introduce security flaws and bad practices. +Dmitry argues that the use of `sudo` less of a requirement on a correctly secured and managed system, adding that it may in fact introduce security flaws and bad practices. -I thought about this article for a while. Then I thought I would try something on my personal systems. +After reading it I thought about this article for a while. Then I thought I would try something on my personal systems. I agree with Dmitry that logging in with the username root, even via `ssh`, is still not a good idea. Instead I created a new user with the user ID (UID) of 0 and group ID (GID) of 0 ``` @@ -22,7 +22,7 @@ useradd -o -u 0 -g 0 -m -d /home/enoch enoch ``` * the `-o` option allows the creation of an account with an already existing UID -On Linux and Unix systems there will always be a UID of 0, and the assigned username is generally "_root_". The convention of naming that user "_root_" was probably taken from [Multics][2], and stems from the naming of the `/` or "_root_" directory. The actual username can be anything. I toyed with the idea of changing the _/etc/passwd_ entry from root to something else, but didn't know what they may break down the line as there may be some software expecting a username of root. Probably best to leave it alone. +On Linux and Unix systems there will always be a UID of 0, and the assigned username is generally "_root_". The convention of naming that user root was probably taken from [Multics][2], and stems from the naming of the `/` or _root_ directory. The actual username can be anything. I toyed with the idea of changing the _/etc/passwd_ entry from root to something else, but didn't know what that may break down the line, as there may be some software expecting a username of root. Probably best to leave it alone. Adding a second user with UID 0 isn't unheard of. FreeBSD ships with the user _toor_ (root backwards), configured to use `tcsh` instead of `sh` as their shell (an interesting post on [daemonforums.org][3] explains the history). @@ -46,10 +46,11 @@ iptables -A INPUT -p tcp -s <bastion_ip>/<cidr> --dport 22 -m conntrack --ctstat iptables -A INPUT -p tcp --dport 22 -j DROP ``` -This has been in place for a few weeks and I am probably going to stick with it. +This change has altered how I work on my own systems without the need to escalate privileges, more importantly however, it has given me new ideas of how to provide effective and efficient security to my clients (if any of them can get over years of the "no root" mindset). [1]: https://dmitry.khlebnikov.net/2015/07/18/should-we-use-sudo-for-day-to-day-activities/ [2]: https://multicians.org/ [3]: https://daemonforums.org/showthread.php?t=666 [3]: 20240102-respect_my_authoritah.html [4]: 20220830-a_well-fortified_position.html +[5]: https://en.wikipedia.org/wiki/Principle_of_least_privilege