Notices by Miah Johnson (miah@hachyderm.io)

Instead of going to the Apple Event, buy a book on how to fix things, like a computer. Then realize that Apple products are 99% landfill fodder walled garden garbage bullshit.

I'm not convinced we need Wayland, but what we do need is somebody fix the goddamned clipboard in Xwindows. Holy fuck do I want to destroy things right now.

If I paste in the command line in urxvt, its exactly what I wanted.

If I open vim in that same window and paste, its something else.

If I try to paste into a different window where weechat is, its something else (just a bunch of spaces).

If I open xclipboard, it only contains the text that pastes fine in the command line.

Its going to be interesting to see what "retro computing" looks like in 20 years. I imagine its going to struggle with a lot of devices released from 2012 - now. Phones? lol half of them don't last 4 years. iPads? lol good luck. Same issues. Batteries are garbage. You can replace of course.

But I hope you have a archive of those apps you love. Whats that? You can only download them through an app store.. well.. Good luck!

How many apps & games from Android and Apple stores are just _gone_?

So why do we need sudo if we have su?

Well, su is very basic. You can 'Switch Users' (su). That's basically all there is to it. You can switch users, and invoke a shell. You can switch users and execute a command. You can pass some arguments to maybe inherit the environment or set $HOME appropriately. But thats basically it for su(1).

I posted this poll because I was curious how many people know what `sudo` actually does.

It seems many think it is distinctly different than `su`.

`sudo` and `su` are effectively the same tool. They are both setuid binaries that allow you to change your effective uid from whatever it is now, to something else.

Using either tool, you can switch to another user, and that other user may also be root.

sudo is 'Switch User and Do'. You can still do all of the same things that you can with su, but you can also build a ACL that specifies what users, commands, and arguments a user is allowed to invoke.

The /etc/sudoers file is described using Extended Backus-Naur Form (EBNF) rules. Most people just add their user with a glob. Something like this:

`miah ALL=(ALL:ALL) ALL`

But you can go MUCH MUCH more complex. I'm going to use some examples from the man page.

Another /etc/sudoers example from the man page:

The operator user may run commands limited to simple maintenance. Here, those are commands related to backups, killing processes, the printing system, shutting down the system, and any commands in the directory /usr/oper/bin/.

`
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
Cmnd_Alias REBOOT = /usr/sbin/reboot

operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/`

A /etc/sudoers example from the man page:

The user tcm may run commands that access a modem device file with the dialer group:

`tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
/usr/local/bin/minicom`

Of course the sudoers file also allows you to bind to LDAP too, so you can actually store the entire ruleset in a single location to be used by all of your systems without any 'configuration management'.

LDAP gives you some other features that typically come with configuration management too, like auditability of who made changes and when, as well as the ability to store diffs as changes and go through an approval process.

Everybody hates LDAP for reasons.. But its fine. Its good actually!

I've had to trim a bit from these to fit in the mastodon post length, so refer to sudoers(5) for more details.

The point being, that you can create a curated list of commands, arguments, and users that can be used through sudo. Its not just a tool to 'give me a root shell', its a tool to give users limited access to commands.

This can be extremely powerful if you need to let users who don't really know UNIX into a system to execute some commands with more privilege.

Both sudo and doas give you good logs for auditing who did what and when.

su logs too but as most people just jump to a shell its less useful.

Allowing shell execution via sudo, or doas will also mean you lose fine grained audits, which is where their configuration power comes in handy. As now you're specifying exactly what people can do, and that is what gets logged.

If you're on OpenBSD (and probably other BSD's) you likely have doas(1) instead of sudo. Its _almost_ the same thing. The configuration file ditches EBNF for a more forward approach. It doesn't have LDAP support that I am aware. Its very _simple_ and works.

You can find docs in doas.conf(5) and here is an example:

`permit nopass tedu as root cmd /usr/sbin/procmap`

`sudo su` is always the least correct way to get a shell though. Effectively, you are doing:

"switch user, switch user". You only need to do this once, and sudo can do it for you via `sudo -Hi`.

But what if the user doesn't have a shell set? Or users /sbin/nologin as their shell?

Then you can `sudo -u user /bin/bash` and well, you lose all auditing ability but now you can do things as that nologin user. This works similarly with doas, and su of course.

I guess my last point on this is, if your system has sudo or doas, you never need to touch su. sudo and doas supersede su.

=)

@silverwizard @cynicalsecurity Not hard. =) The question would be... does the scanner process the zip bomb. Might be easier to respond with a redirect loop and let it hang forever.

@cynicalsecurity Its also fun to respond with a 418 when somebody tries to pull wordpress stuff against your plain html server.

Just.. don't do either if you use a CDN because they won't know what to do and will continue to pull that requested URL until it gets a 403/404, and possibly end up in your blocklist =)

So Boeing is going to pay out 4% of its 2023 profits and 'plead guilty'. Seems about right.

In USB-C, the C stands for chaotic.

@serapath @nblr @mhoye @mntmn We're lucky its working. Remember when L0pht spoke to the US Senate about Internet security, and much of "we can break things" involved BGP.

https://www.youtube.com/watch?v=VVJldn_MmMY

@SuperDicq `/ignore JOINS QUITS PARTS` stops the mobile users spam.