| Deutsch English Français Italiano |
|
<v8diu6$1kbog$1@dont-email.me> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: Lars Poulsen <lars@beagle-ears.com> Newsgroups: comp.os.linux.misc Subject: Re: Wonderful Windows Zaps Banks/Transport/Media after "Update" Yesterday Date: Wed, 31 Jul 2024 07:49:41 -0700 Organization: AfarCommunications Inc Lines: 56 Message-ID: <v8diu6$1kbog$1@dont-email.me> References: <LhednausWIoLFwf7nZ2dnZfqnPidnZ2d@earthlink.com> <87h6cl74ix.fsf@tilde.institute> <v7gf9l$3i29q$3@dont-email.me> <slrnvajisi.3e0ab.candycanearter07@candydeb.host.invalid> <v8cjq4$1f67q$1@dont-email.me> <v8csn4$1go7v$2@dont-email.me> <wwv7cd1vrrw.fsf@LkoBDZeT.terraraq.uk> <v8d307$1htj8$1@dont-email.me> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Injection-Date: Wed, 31 Jul 2024 16:49:43 +0200 (CEST) Injection-Info: dont-email.me; posting-host="40d4c1417453d468f62152815f6a3d13"; logging-data="1715984"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19218BhgJFamIfcH2O4m4H17+ArJ7ewxKY=" User-Agent: Mozilla Thunderbird Cancel-Lock: sha1:jV4kxwLlOBXnAv13tMA35wOa7FQ= Content-Language: en-US In-Reply-To: <v8d307$1htj8$1@dont-email.me> Bytes: 3874 On 7/31/2024 3:17 AM, The Natural Philosopher wrote: > On 31/07/2024 10:23, Richard Kettlewell wrote: >> The Natural Philosopher <tnp@invalid.invalid> writes: >>> But who tuns a true multiuser system these days especially one where >>> users can do simple admin? >> >> Even disregarding hobbyists, more than zero but I expect the number is >> indeed rather small. Not sure what you mean by "hobbyist". To me, a "linux hobbyist" is someone like me, who deliberately runs a system at home that is more complex and "professional" than necessary, to keep alive some skills acquired decades ago when we managed a Unix system used by our department. But I also use those skills in the small company that still writes me a paycheck in my semi-retirement. >> There’s a few points here: >> >> * You can still set a root password and use ‘su’ on Ubuntu systems if >> that’s what you want. Canonical are not enforcing a policy here, just >> setting a default. My Linux systems are Fedora rather than Ubuntu; Fedora also promotes sudo. >> * The ‘sudo instead of su’ model is common everwhere, not just Ubuntu; I >> expect the motivation for the default setup on Ubuntu is >> simplification, not any theories about who can remember how many >> passwords. >> >> * Trusting sudo to enforce the a tailored access model is somewhat >> optimistic given its CVE record, and the general record of the setuid >> model that underpins it. >> >> * By escaping the setuid model run0 may improve on this issue, though it >> brings other kinds of complexity with it; how it balances out is >> probably a question for a few years time. >> >> * In the single-user context, sudo effectively creates the model that >> your single user account has privileges equivalent to root, but that >> you must explicitly mark any privileged operation. The former is just >> acknowledging reality, the latter is a useful guard against accidents. >> > +1 to all of that. > > I use sudo if its just one thing I need to do, but if its messing with > config files and restarting daemons, I use su - Is that because you do not know about "sudo -i" ? Note that run0 - which is built on polkit - still relies on setuid executables within polkit. I don't see them as all that different. The grace period in sudo is a convenience. It probably does add a bit of risk. There is probably a way to turn it off --- yes: timestamp_timeout=0 in /etc/sudoers (apparently per-user)