GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Miah Johnson (miah@hachyderm.io)'s status on Thursday, 15-Aug-2024 00:47:08 JST Miah Johnson Miah Johnson

    I posted this poll because I was curious how many people know what `sudo` actually does.

    It seems many think it is distinctly different than `su`.

    `sudo` and `su` are effectively the same tool. They are both setuid binaries that allow you to change your effective uid from whatever it is now, to something else.

    Using either tool, you can switch to another user, and that other user may also be root.

    In conversation about 10 months ago from hachyderm.io permalink
    • Embed this notice
      Miah Johnson (miah@hachyderm.io)'s status on Thursday, 15-Aug-2024 00:47:02 JST Miah Johnson Miah Johnson
      in reply to

      I guess my last point on this is, if your system has sudo or doas, you never need to touch su. sudo and doas supersede su.

      =)

      In conversation about 10 months ago permalink
    • Embed this notice
      Kit Rhett Aultman (roadriverrail@signs.codes)'s status on Thursday, 15-Aug-2024 00:47:02 JST Kit Rhett Aultman Kit Rhett Aultman
      in reply to

      @miah Thank you for the fascinating thread, as I was taught "sudo su -" as a set incantation, and while I could read it and know it was...weird...I also just accepted it. I come from an era before sudo, when you'd just type "su" to get a root shell, and it was common to call it "superuser" and not "switch user". I wonder if "sudo su -" started as a poorly considered "workaround" to use "su" in it's older way once sudo became common.

      In conversation about 10 months ago permalink
    • Embed this notice
      Miah Johnson (miah@hachyderm.io)'s status on Thursday, 15-Aug-2024 00:47:03 JST Miah Johnson Miah Johnson
      in reply to

      `sudo su` is always the least correct way to get a shell though. Effectively, you are doing:

      "switch user, switch user". You only need to do this once, and sudo can do it for you via `sudo -Hi`.

      But what if the user doesn't have a shell set? Or users /sbin/nologin as their shell?

      Then you can `sudo -u user /bin/bash` and well, you lose all auditing ability but now you can do things as that nologin user. This works similarly with doas, and su of course.

      In conversation about 10 months ago permalink
    • Embed this notice
      Miah Johnson (miah@hachyderm.io)'s status on Thursday, 15-Aug-2024 00:47:04 JST Miah Johnson Miah Johnson
      in reply to

      If you're on OpenBSD (and probably other BSD's) you likely have doas(1) instead of sudo. Its _almost_ the same thing. The configuration file ditches EBNF for a more forward approach. It doesn't have LDAP support that I am aware. Its very _simple_ and works.

      You can find docs in doas.conf(5) and here is an example:

      `permit nopass tedu as root cmd /usr/sbin/procmap`

      In conversation about 10 months ago permalink
    • Embed this notice
      Miah Johnson (miah@hachyderm.io)'s status on Thursday, 15-Aug-2024 00:47:04 JST Miah Johnson Miah Johnson
      in reply to

      Both sudo and doas give you good logs for auditing who did what and when.

      su logs too but as most people just jump to a shell its less useful.

      Allowing shell execution via sudo, or doas will also mean you lose fine grained audits, which is where their configuration power comes in handy. As now you're specifying exactly what people can do, and that is what gets logged.

      In conversation about 10 months ago permalink

      Attachments


    • Embed this notice
      Miah Johnson (miah@hachyderm.io)'s status on Thursday, 15-Aug-2024 00:47:05 JST Miah Johnson Miah Johnson
      in reply to

      I've had to trim a bit from these to fit in the mastodon post length, so refer to sudoers(5) for more details.

      The point being, that you can create a curated list of commands, arguments, and users that can be used through sudo. Its not just a tool to 'give me a root shell', its a tool to give users limited access to commands.

      This can be extremely powerful if you need to let users who don't really know UNIX into a system to execute some commands with more privilege.

      In conversation about 10 months ago permalink
    • Embed this notice
      Miah Johnson (miah@hachyderm.io)'s status on Thursday, 15-Aug-2024 00:47:05 JST Miah Johnson Miah Johnson
      in reply to

      Of course the sudoers file also allows you to bind to LDAP too, so you can actually store the entire ruleset in a single location to be used by all of your systems without any 'configuration management'.

      LDAP gives you some other features that typically come with configuration management too, like auditability of who made changes and when, as well as the ability to store diffs as changes and go through an approval process.

      Everybody hates LDAP for reasons.. But its fine. Its good actually!

      In conversation about 10 months ago permalink
    • Embed this notice
      Miah Johnson (miah@hachyderm.io)'s status on Thursday, 15-Aug-2024 00:47:06 JST Miah Johnson Miah Johnson
      in reply to

      A /etc/sudoers example from the man page:

      The user tcm may run commands that access a modem device file with the dialer group:

      `tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
      /usr/local/bin/minicom`

      In conversation about 10 months ago permalink
    • Embed this notice
      Miah Johnson (miah@hachyderm.io)'s status on Thursday, 15-Aug-2024 00:47:06 JST Miah Johnson Miah Johnson
      in reply to

      Another /etc/sudoers example from the man page:

      The operator user may run commands limited to simple maintenance. Here, those are commands related to backups, killing processes, the printing system, shutting down the system, and any commands in the directory /usr/oper/bin/.

      `
      Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
      Cmnd_Alias HALT = /usr/sbin/halt
      Cmnd_Alias REBOOT = /usr/sbin/reboot

      operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
      sudoedit /etc/printcap, /usr/oper/bin/`

      In conversation about 10 months ago permalink
    • Embed this notice
      Miah Johnson (miah@hachyderm.io)'s status on Thursday, 15-Aug-2024 00:47:07 JST Miah Johnson Miah Johnson
      in reply to

      sudo is 'Switch User and Do'. You can still do all of the same things that you can with su, but you can also build a ACL that specifies what users, commands, and arguments a user is allowed to invoke.

      The /etc/sudoers file is described using Extended Backus-Naur Form (EBNF) rules. Most people just add their user with a glob. Something like this:

      `miah ALL=(ALL:ALL) ALL`

      But you can go MUCH MUCH more complex. I'm going to use some examples from the man page.

      In conversation about 10 months ago permalink
    • Embed this notice
      Miah Johnson (miah@hachyderm.io)'s status on Thursday, 15-Aug-2024 00:47:08 JST Miah Johnson Miah Johnson
      in reply to

      So why do we need sudo if we have su?

      Well, su is very basic. You can 'Switch Users' (su). That's basically all there is to it. You can switch users, and invoke a shell. You can switch users and execute a command. You can pass some arguments to maybe inherit the environment or set $HOME appropriately. But thats basically it for su(1).

      In conversation about 10 months ago permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.