[WNYLUG-Users] sudoers problem

Joe josephj at main.nc.us
Thu Jan 6 00:21:12 EST 2011


It's probably overkill, but Brian got me a bit scared.  It looks like I 
get hit a lot at ports where there isn't anything to respond anyway.  I 
haven't had a virus or any problem like that for years.  The last time I 
got in trouble was when I downloaded a "free" screen saver for Windows a 
year or two ago.  That partially took over my system, but I did a 
checkpoint restore and it was gone.  I just don't want to get caught 
being falsely secure.

Any ports I have open (very few) are actually being used by something 
like bittorrent.  Someone can request whatever they want and it's fairly 
unlikely to be able to do any harm.

I haven't got a credit card database or anything else that would justify 
someone competent spending the time and effort necessary to break into 
my system.

As for watching my logs, I really don't have a clue as to where to look 
and what to look for.  If there's a basic howto, please let me know.

Thanks.

Joe

On 01/05/2011 09:51 PM, Monkberry wrote:
> Isn't all that a bit overkill, your behind a hardware firewall, 
> correct? With all the playing around your doing with firestarter, your 
> liable to make things worse anyway. If you've got ports exposed to the 
> outside world, turn on port triggering/knocking or open the ports in a 
> time table that your going to need them, most routers will do all this 
> stuff today or buy a Linksys WRT54GL and flash it with dd-wrt, you'll 
> be amazed at the interface options available after that. Newegg has 
> been selling the WRT54GL for $49 with free shipping (but mattski told 
> me today they bumped it up $10 now). Do an nmap on your localhost to 
> see what's exposed and keep an eye on your logs. If your running ssh 
> server, put it on another, non-privileged port. IMHO.
>
> Joe wrote:
>> Well, I tried the sticky bit and got scolded by the gtk+ team for my 
>> efforts. See my reply to Pete.
>>
>> Is there any way to do this at all?
>>
>> If not, I'll either just put up with the error or only run the gui 
>> when I need to configure or debug my firewall settings.
>>
>> Maybe it will go away eventually as i upgrade kubuntu/kde.
>>
>> Joe
>>
>> On 01/05/2011 07:38 PM, Joe wrote:
>>> I know about sticky bits, but I've never been able to get them to do 
>>> anything i wanted. There's probably something I don't quite understand.
>>>
>>> This is a notebook computer. It has 2 user accounts, but I'm the 
>>> only one who really uses it.
>>>
>>> Because it's a notebook and goes with me occasionally, I don't 
>>> really know if relaxing security is a good idea. I do keep almost 
>>> all of my personal data on a USB drive that i usually don't carry 
>>> with me.
>>> OTOH, if I lose the notebook, anyone who knows anything at all about 
>>> Linux can boot it from a live CD and get to everything that isn't 
>>> encrypted (just a few personal documents that I'm currently working 
>>> on and my phone book are encrypted by OOo), so I'm not sure how much 
>>> security really matters.
>>>
>>> Would adding a sticky bit as you suggest do anything to make it 
>>> easier for my notebook to get hacked over the Internet? My sense is 
>>> that it wouldn't, but there have been so many ingenious exploits 
>>> that I don't trust my common sense on matters of security.
>>>
>>> I'm also about to configure a new notebook for Rita who is not a 
>>> computer person at all. I would like to set up her computer 
>>> (including firestarter) as close to the way mine is as possible so I 
>>> can figure things out remotely and not have to remember too many 
>>> special things that work in one place but not the other.
>>>
>>> Joe
>>>
>>> On 01/05/2011 10:04 AM, Corey Reichle wrote:
>>>> Is this for a single-user computer? If so, why not just add the 
>>>> sticky bit to the binary? Then, no sudo required even. For a 
>>>> mutli-user machine, I wouldn't recommend it, however.
>>>>
>>>> On Wed, Jan 5, 2011 at 8:10 AM, Monkberry <peter at monkberry.com 
>>>> <mailto:peter at monkberry.com>> wrote:
>>>>
>>>> peter ALL = NOPASSWD: /sbin/rmmod
>>>>
>>>> (note: this allows peter to run the command "sudo /sbin/rmmod"
>>>> without entering a password. It MUST be put on the last line of
>>>> the file using visudo as root. The word ALL in this case could be
>>>> modified to be the machine name of the box.
>>>>
>>>> NOTE: This only allows for the command to be run with sudo without
>>>> asking for a password. If I am not the user above and do NOT use
>>>> the command "sudo /sbin/rmmod" (i.e. just /sbin/rmmod) it will NOT
>>>> work. Also, the command in the sudo file must be used exactly as
>>>> the command systax in the sudo file.
>>>>
>>>>
>>>> Joe wrote:
>>>>> I need to be able to start (and maybe kill) firestarter without a
>>>>> password.
>>>>>
>>>>> I set up my sudoers file to do that, but it doesn't work.
>>>>> There's probably a syntax error or something similar in it.
>>>>> I think I tried it with a blank between the ':' and the
>>>>> /usr/sbin/firestarter, but it didn't help.
>>>>>
>>>>> My user is a member of the admin group, so it should work anyway,
>>>>> shouldn't it?
>>>>>
>>>>> Just for the heck of it, I'm going to move the admin group part
>>>>> to the end and see if that helps.
>>>>>
>>>>> Any help would be appreciated.
>>>>>
>>>>> Joe
>>>>>
>>>>> # /etc/sudoers
>>>>> #
>>>>> # This file MUST be edited with the 'visudo' command as root.
>>>>> #
>>>>> # See the man page for details on how to write a sudoers file.
>>>>> #
>>>>>
>>>>> Defaults env_reset
>>>>>
>>>>> # Host alias specification
>>>>>
>>>>> # User alias specification
>>>>>
>>>>> # Cmnd alias specification
>>>>>
>>>>> # User privilege specification
>>>>> root ALL=(ALL) ALL
>>>>>
>>>>> # Uncomment to allow members of group sudo to not need a password
>>>>> # (Note that later entries override this, so you might need to move
>>>>> # it further down)
>>>>> # %sudo ALL=NOPASSWD: ALL
>>>>>
>>>>> # Members of the admin group may gain root privileges
>>>>> %admin ALL=(ALL) ALL
>>>>>
>>>>> # Users can start the firewall with no password
>>>>> bigbird ALL=NOPASSWD:/usr/sbin/firestarter
>>>>> shelelia ALL=NOPASSWD:/usr/sbin/firestarter
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at wnylug.org <mailto:Users at wnylug.org>
>>>>> http://wnylug.org/mailman/listinfo/users_wnylug.org
>>>>
>>>> -- monkberry.com
>>>> 115 Richfield Road
>>>> Williamsville, New York 14221
>>>> 716-553-8525
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at wnylug.org <mailto:Users at wnylug.org>
>>>> http://wnylug.org/mailman/listinfo/users_wnylug.org
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at wnylug.org
>>>> http://wnylug.org/mailman/listinfo/users_wnylug.org
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at wnylug.org
>>> http://wnylug.org/mailman/listinfo/users_wnylug.org
>>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at wnylug.org
>> http://wnylug.org/mailman/listinfo/users_wnylug.org
>
> -- 
> monkberry.com
> 115 Richfield Road
> Williamsville, New York 14221
> 716-553-8525
> www.monkberry.com <http://www.monkberry.com>
>
>
> _______________________________________________
> Users mailing list
> Users at wnylug.org
> http://wnylug.org/mailman/listinfo/users_wnylug.org




More information about the Users mailing list