| View previous topic :: View next topic |
| Which one is your primary way to access root |
| doas |
|
25% |
[ 9 ] |
| sudo |
|
51% |
[ 18 ] |
| tty login root |
|
20% |
[ 7 ] |
| root disabled/single-user bootup |
|
2% |
[ 1 ] |
|
| Total Votes : 35 |
|
| Author |
Message |
Chiitoo
Administrator
Joined: 28 Feb 2010
Posts: 2754
Location: Here and Away Again
|
 Posted: Tue Dec 05, 2023 7:56 am Post subject: |
 |
|
I picked 'tty login root' since it might be the closest thing to 'su -'. :]
_________________
Kindest of regardses. |
|
| Back to top |
|
 |
pa4wdh
l33t
Joined: 16 Dec 2005
Posts: 914
|
| Posted: Tue Dec 05, 2023 8:44 am Post subject: |
|
|
I think sudo is a bad idea when there is only one admin (typical home situation). Regular users' passwords are usually weaker than the root password, and with a typical sudo configuration the uvers' password is used to gain root privileges, so you basically have a weaker root password. That's why i use su when i temporarily need root privileges.
I've never gave doas a try, i simply never had the need to try it because i'm happy with su.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
| Back to top |
|
|
Zucca
Moderator
Joined: 14 Jun 2007
Posts: 3945
Location: Rasi, Finland
|
| Posted: Tue Dec 05, 2023 8:52 am Post subject: |
|
|
I voted for doas, but I use tty root login with it.... is all I need. ;)
_________________
..: Zucca :..
| My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
| Quote: | | I am NaN! I am a man! |
|
|
| Back to top |
|
|
Goverp
Advocate
Joined: 07 Mar 2007
Posts: 2205
|
| Posted: Tue Dec 05, 2023 10:38 am Post subject: |
|
|
Nice to have a poll, but it misses the most popular answer - "su -" !
_________________
Greybeard |
|
| Back to top |
|
|
miket
Guru
Joined: 28 Apr 2007
Posts: 498
Location: Gainesville, FL, USA
|
| Posted: Wed Dec 13, 2023 4:57 am Post subject: |
|
|
(I'm a bit late to this party but not overly late  )
I use su - in a Konsole window. It's the su command since it's short and allows the environment-resetting hyphen, and it's a window on the desktop since--as it the case for my bash sessions in general--I often need to refer to other open windows.
I quite often write scripts to automate things. Such scripts not only make my work go faster but also help me avoid errors through haste or inattention. If I'm dropping down to root just to run such a script, you can bet I'll make an entry for the script with visudo. The next time I'll run it with sudo.
IOW, I don't go for the Ubuntu-style super-permissive sudo configuration. I do use sudo, but for specific tasks. Most of the time I go to root it's with su. |
|
| Back to top |
|
|
mirekm
Apprentice
Joined: 12 Feb 2004
Posts: 219
Location: Gliwice
|
| Posted: Wed Dec 13, 2023 7:35 pm Post subject: |
|
|
I use mostly sudo, but sometimes su -.
For daily update, I made 2 scripts to call sync, and update, which I run just with sudo, with mounting tmpfs on portage build directory. It is just simple, and quick. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20589
|
| Posted: Wed Dec 13, 2023 10:47 pm Post subject: |
|
|
su - requires the root password, does it not? The oh so helpful man page only says "a password is required," not which password. I'm guessing I'm in the habit of using /usr/bin/sudo /bin/su - as a result of not having convenient access to the root password in some situations.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
Spanik
Veteran
Joined: 12 Dec 2003
Posts: 1014
Location: Belgium
|
| Posted: Thu Dec 14, 2023 8:23 am Post subject: |
|
|
Another "su -" user as was advised me by one of the superannuated canines on the forum
With a distro like Gentoo where emerge needs root I have no idea how you would keep it working without root accessible in any way.
_________________
Expert in non-working solutions |
|
| Back to top |
|
|
Goverp
Advocate
Joined: 07 Mar 2007
Posts: 2205
|
| Posted: Thu Dec 14, 2023 10:34 am Post subject: |
|
|
After RTFMing. I've now decided the safe version (IIUC) is rather than "su -"
_________________
Greybeard |
|
| Back to top |
|
|
Naib
Watchman
Joined: 21 May 2004
Posts: 6073
Location: Removed by Neddy
|
| Posted: Thu Dec 14, 2023 10:49 am Post subject: |
|
|
| Goverp wrote: | | After RTFMing. I've now decided the safe version (IIUC) is rather than "su -" |
good catch. I have alias su="su -" so time to update:
| Quote: | -P, --pty
Create a pseudo-terminal for the session. The independent
terminal provides better security as the user does not share
a terminal with the original session. This can be used to
avoid TIOCSTI ioctl terminal injection and other security
attacks against terminal file descriptors. |
_________________
#define HelloWorld int
#define Int main()
#define Return printf
#define Print return
#include <stdio>
HelloWorld Int {
Return("Hello, world!\n");
Print 0; |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5402
Location: Bavaria
|
| Posted: Thu Dec 14, 2023 12:50 pm Post subject: |
|
|
| Naib wrote: | | Goverp wrote: | | After RTFMing. I've now decided the safe version (IIUC) is rather than "su -" |
good catch. I have alias su="su -" so time to update:
| Quote: | -P, --pty
Create a pseudo-terminal for the session. The independent
terminal provides better security as the user does not share
a terminal with the original session. This can be used to
avoid TIOCSTI ioctl terminal injection and other security
attacks against terminal file descriptors. |
|
Maybe this is the reason KSPP recommends:
| Quote: | # Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below).
# CONFIG_LEGACY_TIOCSTI is not set |
_________________
https://wiki.gentoo.org/wiki/User:Pietinger |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20589
|
| Posted: Thu Dec 14, 2023 4:57 pm Post subject: |
|
|
| Goverp wrote: | | After RTFMing. I've now decided the safe version (IIUC) is rather than "su -" |
| Naib wrote: | | Quote: | -P, --pty
Create a pseudo-terminal for the session. The independent
terminal provides better security as the user does not share
a terminal with the original session. This can be used to
avoid TIOCSTI ioctl terminal injection and other security
attacks against terminal file descriptors. |
|
Which man page? My 'man su' has no -P or --pty option. It also lumps together "-, -l, --login". My su still comes from sys-apps/shadow, so maybe that's why.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20589
|
| Posted: Thu Dec 14, 2023 4:58 pm Post subject: |
|
|
| Spanik wrote: | Another "su -" user as was advised me by one of the superannuated canines on the forum :)
With a distro like Gentoo where emerge needs root I have no idea how you would keep it working without root accessible in any way. |
I've used sudo for well over a decade without problems. It has been rare that I needed a root shell. My main precaution is having a root shell available when I update ssh or any login related programs. I've probably reinforced my use of sudo after negative reinforcement of deleting something accidentally when spending too much time in a root shell doing maintenance. Fortunately it has only been non-critical data. I probably need to time limit those activities so I don't start doing it mindlessly.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
gtwrek
Tux's lil' helper
Joined: 10 Mar 2017
Posts: 112
Location: San Jose, CA
|
| Posted: Thu Dec 14, 2023 6:01 pm Post subject: |
|
|
| Quote: | | My main precaution is having a root shell available when I update ssh or any login related programs |
I've sometimes wondered about that. My gentoo world updates are almost all done in an ssh session with sudo. i.e. | Code: | | sudo emerge -av ... @world |
I've sometimes wondered how things work when ssh is updated. All's I know is it always "just works" through the portage world update. I've *never* had any problems here.
I've taken the precaution to ensure I have a serial terminal console backup to my more difficult to physically access machines. But I hardly ever need to use such (and if I do it's usually some other user error). |
|
| Back to top |
|
|
grknight
Retired Dev
Joined: 20 Feb 2015
Posts: 2021
|
| Posted: Thu Dec 14, 2023 6:35 pm Post subject: |
|
|
| gtwrek wrote: | I've sometimes wondered about that. My gentoo world updates are almost all done in an ssh session with sudo. i.e. | Code: | | sudo emerge -av ... @world |
|
Be very careful with 'sudo emerge'. Things in the user environment can bleed in and affect software like I've mentioned already. It could be as simple as an error or, at worst, a bad actor could control the system on a compromised user account. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20589
|
| Posted: Thu Dec 14, 2023 10:08 pm Post subject: |
|
|
| gtwrek wrote: | I've sometimes wondered how things work when ssh is updated. All's I know is it always "just works" through the portage world update. I've *never* had any problems here.
I've taken the precaution to ensure I have a serial terminal console backup to my more difficult to physically access machines. But I hardly ever need to use such (and if I do it's usually some other user error). |
I don't always remember, but I try to. There is a bit of motivation if you don't have physical access and would have to wake someone up to deal with the mistake. :)
I forgot once, but the system was in the other room. That predated version 8. I think for this news item, I remembered: | gentoo/metadata/news/2020-02-19-openssh-8_2-service-breakage/2020-02-19-openssh-8_2-service-breakage.en.txt: | Title: OpenSSH 8.2_p1 running sshd breakage
Author: Patrick McLean <chutzpah@gentoo.org>
Posted: 2020-02-20
Revision: 1
News-Item-Format: 2.0
Display-If-Installed: <net-misc/openssh-8.2
If sshd is running, and a system is upgraded from
<net-misc/openssh-8.2_p1 to >=net-misc/openssh-8.2_p1, any new ssh
connection will fail until sshd is restarted. |
Serial consoles are of course preferred, but I've not found that option for consumer-grade hardware. :(
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
Goverp
Advocate
Joined: 07 Mar 2007
Posts: 2205
|
| Posted: Fri Dec 15, 2023 9:32 am Post subject: |
|
|
| pjp wrote: | ...
Which man page? My 'man su' has no -P or --pty option. It also lumps together "-, -l, --login". My su still comes from sys-apps/shadow, so maybe that's why. |
The /usr/share/man/man1/su.1.bz2 from sys-apps/util-linux 2.38.1
_________________
Greybeard |
|
| Back to top |
|
|
jonathan183
Guru
Joined: 13 Dec 2011
Posts: 318
|
| Posted: Fri Dec 15, 2023 1:34 pm Post subject: |
|
|
Use sudo with limited commands for most users.
Usually use sudo -s for my admin user |
|
| Back to top |
|
|
grknight
Retired Dev
Joined: 20 Feb 2015
Posts: 2021
|
| Posted: Fri Dec 15, 2023 1:47 pm Post subject: |
|
|
| jonathan183 wrote: | Use sudo with limited commands for most users.
Usually use sudo -s for my admin user |
Another one to be wary of security wise. sudo -i is better than sudo -s. |
|
| Back to top |
|
|
CaptainBlood
Advocate
Joined: 24 Jan 2010
Posts: 3999
|
| Posted: Fri Dec 15, 2023 9:54 pm Post subject: |
|
|
| Goverp wrote: | | After RTFMing. I've now decided the safe version (IIUC) is rather than "su -" |
+1.
As Naib said, I've set an alias accordingly.
Thks 4 ur attention, interest & support.
_________________
USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. " |
|
| Back to top |
|
|
dmpogo
Advocate
Joined: 02 Sep 2004
Posts: 3472
Location: Canada
|
| Posted: Sat Dec 16, 2023 6:28 pm Post subject: |
|
|
| Naib wrote: | I just use su - to get a root shell  |
+1 |
|
| Back to top |
|
|
pepoluan
n00b
Joined: 28 Feb 2011
Posts: 43
Location: Jakarta, Indonesia
|
| Posted: Tue Dec 19, 2023 3:14 am Post subject: Re: Damn |
|
|
| coalms wrote: | | doas is an unofficial port and while some users see it as a vulnerability not having the right kernel access |
The kernel access is mostly needed to make it 'persistent' (i.e., it remembers you have entered the right password so it will not ask again for the next several minutes).
Without the kernel call, it records timestamp the same way as sudo does: With a temporary file.
So w.r.t vulnerability if not using kernel call: It's as vulnerable as sudo is.
_________________
Nobody is Perfect.
I am Nobody. |
|
| Back to top |
|
|
pepoluan
n00b
Joined: 28 Feb 2011
Posts: 43
Location: Jakarta, Indonesia
|
| Posted: Tue Dec 19, 2023 3:19 am Post subject: |
|
|
| gtwrek wrote: | | I've sometimes wondered how things work when ssh is updated. |
ssh works the same way as Apache or Nginx works:
When you connect, your connection is handed over to a child process, and the child process is detached from the parent process.
When ssh gets upgraded, the parent process is killed, but the child process lives on until you end the session.
So, as long as you maintain an ssh session to your machine, you won't be affected by ssh upgrades.
(Which is why I personally think ssh is the perfect -- and currently, only one I know -- example of the OSI Layer 5 "Session Layer": It provides a session, and other applications [remote shell, file transfer, tunneling, etc.] takes place above the SSH Session.)
_________________
Nobody is Perfect.
I am Nobody. |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9898
Location: almost Mile High in the USA
|
| Posted: Sat Dec 23, 2023 7:22 pm Post subject: |
|
|
it gets to a point when paranoia of the uncommon to waste time on the common...
I just use sudo. It's better than my homegrown solution I used way back when - had a small program that can only be run by my userid that would give root without a password, which of course would be security by obscurity. All traces of that script is now gone.
As a relevant aside, my home PVR box is always logged in as 'guest' password 'guest' so people could use/watch tv, and I disallow sudo access to 'guest' for obvious reasons (and also not in wheel so that blocks out su). However when I do need to access root, this is quite annoying as c-a-F2 of course makes my Firefox research invisible or needs to be redone, so I end up having to ssh to my normal unprivileged account on that machine, and then sudo from that. Trading convenience for security, though yes it could be worse...
(and of course guest is disallowed remote logins, that would be a recipe for getting pwn3d despite being behind a firewall.)
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
s0ulslack1
n00b
Joined: 06 Mar 2022
Posts: 26
|
| Posted: Sun Dec 24, 2023 5:21 am Post subject: |
|
|
I still let GID wheel su, without password  If I don't trust myself as root wtf do I trust? |
|
| Back to top |
|
|
|
Gentoo Chat
