Can we go over the security topic from a few meetings ago?
Sure, we can (also) go over that at today's BALUG meeting - presuming folk(s) are interested. I think I only made it about 1/3 or of the way through my security materials on that earlier - that was the meeting from about two months ago - 2017-05-15.
I do also have "slides" from that ... I should get those up fairly soon too.
From: "Kim Davalos" kdavalos@sonic.net Subject: Re: [BALUG-Announce] BALUG: meeting TOMORROW!: Tu 2018-07-17; & other BALUG News Date: Tue, 17 Jul 2018 07:31:53 -0700
Can we go over the security topic from a few meetings ago? I don't think we had the opportunity to cover it at the time. Just a thought.
~Kim
On 07/16/2018 01:05 PM, Michael Paoli wrote:
BALUG: meeting TOMORROW!: Tu 2018-07-17; & other BALUG News
items, details further below: BALUG meeting TOMORROW!: Tu 2018-07-17 giveaways (Books/publications, CDs/DVDs, ...) New: Hardware, etc. wanted/offered! help BALUG! :-) - volunteering, venue, ... Twitter https://twitter.com/#!/BALUG_org
For our 2018-07-17 (3rd Tuesday) BALUG meeting:
At least presently we don't have a specific speaker/presentation lined up for this meeting, but that doesn't prevent us from having interesting and exciting meetings and discussions. We also manage to sometimes secure/confirm a speaker too late for us to announce or fully publicize the speaker (that's happened at least twice in the past). Got questions, answers, and/or opinions? We typically have some expert(s) and/or relative expert(s) present to cover Linux and related topic areas. Want to hear some interesting discussions on LINUX and other topics? Show up at the meeting, and feel free to bring an agenda if you wish. Want to help ensure BALUG has speakers/presentations lined up for future meetings? Help refer speakers to us and/or volunteer to be one of the speaker coordinators. Great food and people, and interesting conversations to be had.
Please RSVP if you're planning to attend. To do so please e-mail us a note to rsvp@balug.org indicating meeting date. If you'll be bringing additional guest(s) please let us know total number of folks you're RSVPing for. Also please let us know any special requirements or concerns you may have (e.g. if you have any particular dietary considerations, so that we might possibly be able to accommodate you, or if you won't be dining with us but do wish to otherwise join our meeting).
6:30pm Tuesday, July 17th, 2018 2018-07-17 Henry's Hunan Restaurant 110 Natoma St. (between 2nd & New Montgomery) San Francisco, CA 94105-3704 1-415-546-4999 http://henryshunan.com/ Easy Transit/Parking Access: short walk from BART, MUNI, parking Trip planning: http://www.511.org/
Delicious Hunan cuisine and reasonably priced.
Meeting Details...
Cost/Dining: The meetings are always free, but dinner is not (unless you are our guest speaker, in which case we also treat you to dinner). For Henry's Hunan Restaurant, if folks are agreeable, we'll share and dine "family" style, and split up the costs, and typical cost per person including tax and tip (but not including beverages beyond complementary tea) would be in the $13.00 to $20.00 range, and commonly around $15.00 to $17.00. Cash may be preferred to ease splitting up the check. One can also specifically order the dish(es) one needs/prefers (e.g. for dietary considerations) - and we also commonly order some dish(es) that may meet various dietary considerations) (e.g. vegetarian, non-pork, ...). Please arrive by 7:00 P.M., we expect to order entrees at that time, and may order appetizer(s) and/or soup(s) anytime after 6:30 P.M.
Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
Sure, we can (also) go over that at today's BALUG meeting - presuming folk(s) are interested. I think I only made it about 1/3 or of the way through my security materials on that earlier - that was the meeting from about two months ago - 2017-05-15.
I do also have "slides" from that ... I should get those up fairly soon too.
I made the point, over dinner conversation, that many Linux distributions[1] configure sudo in a way that IMO seriously weakens overall system security. Specifically, on such distributions, you are able to type
sudo [action]
...and supply your _own_ password to run the requested command with elevated privilege. My point over dinner is that this results in a situation where an attacker who steals your regular user credentials gains free privilege-escalation to superuser abilities as well, without needing to overcome any additional security obstacle. This IMO greatly weakens the traditional Unix security model, where stealing root (etc.) is a deliberately separate, much more difficult problem from stealing grunt user credentials.
Personally, I am lastingly wary of sudo, and prefer to have scant reliance on it. However, for people who _do_ rely on it, there's something you can do that could help:
Step 1 of 2: Set a root password.
sudo passwd #pick a strong & different password, and don't lose it
Step 2 of 2: Alter sudo to require the _root_ password for privileged actions, and not just the user's own password.
visudo
You are now editing /etc/sudoers using a special editing mode. Find the section with various lines starting with keyword 'Defaults'. At the end of that section, add a new line:
Defaults rootpw
Save and exit the editor. You are done.
In very general terms, the main reason why I'm wary of sudo is that it's Rube Goldberg-ish: It introduces somewhat baroque complications to system security, and doing so is always a Very Bad Thing unless it has very strong compensating virtues that I seldom see in the case of sudo.
[1] Including one named for an African word meaning 'can't install Debian'.