View previous topic :: View next topic |
Which one is your primary way to access root |
doas |
|
25% |
[ 9 ] |
sudo |
|
51% |
[ 18 ] |
tty login root |
|
20% |
[ 7 ] |
root disabled/single-user bootup |
|
2% |
[ 1 ] |
|
Total Votes : 35 |
|
Author |
Message |
coalms n00b
Joined: 28 Nov 2023 Posts: 21
|
Posted: Mon Dec 04, 2023 7:49 am Post subject: How many of you are using doas?sudo?what about root tty1? |
|
|
Honestly, do you prefer having programs like sudo and doas in your "daily driver"? Or you you just avoid the security escalation vulnerability of having a program such at this and just run tty1 root tmux/screen? If tty then have you though about hardening your keyboard and xorg so programs cannot ctrl+alt+fX on an open root tty xorg emulating a tty to sniff your password?
PS I wourld have made this into a poll but no such option appears so I guess I do not have the permission to do so, if an admin sees this do poll it if possible
Edit: realised I should have posted this on gentoo chat sub-forum where I have both poll rights and thinking about it now imo is a more fitting place to post it, but at this point I made enough posts for today where deleting this and reposting it there wourld give me an error(too many posts), unless this is moved Ill repost tomorrow
Moved the topic to "Gentoo Chat" subforum for you.
You should be able to add poll now.
Thanks Zucca
Last edited by coalms on Tue Dec 05, 2023 12:43 am; edited 1 time in total |
|
Back to top |
|
|
spica Guru
Joined: 04 Jun 2021 Posts: 330
|
Posted: Mon Dec 04, 2023 10:02 am Post subject: |
|
|
Navigating complex discussions about borderline cases can be likened to a sausage stick:
one end has the exclusive "root user," while the other end lacks any root access.
The reality, much like the savory truth in this metaphor, lies nestled somewhere in the middle. |
|
Back to top |
|
|
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3734 Location: Rasi, Finland
|
Posted: Mon Dec 04, 2023 10:31 am Post subject: |
|
|
I'm using doas, as I found its construction (code) quite simple. This in hopes that it's less prone to security flaws. _________________ ..: Zucca :..
My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
Quote: | I am NaN! I am a man! |
|
|
Back to top |
|
|
lemon426 n00b
Joined: 29 Nov 2023 Posts: 34
|
Posted: Mon Dec 04, 2023 10:54 am Post subject: |
|
|
Hello!
For my part, I use sudo more often. But for some time now (well over a month now), I've been using doas. The fact that I can (partly) read the source code and understand it helps a lot. And in terms of optimization (although I'm sure it's not much), doas is really very small in size! |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54585 Location: 56N 3W
|
Posted: Mon Dec 04, 2023 11:21 am Post subject: |
|
|
coalms'
I use sudo but its usually to get root access for a string of commands.
Why?
fortune wrote: | It is fruitless to indoctrinate a superannuated canine with innovative maneuvers | and I'm one of those. :) _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6067 Location: Removed by Neddy
|
Posted: Mon Dec 04, 2023 11:23 am Post subject: |
|
|
I just use su - to get a root shell _________________
Quote: | Removed by Chiitoo |
|
|
Back to top |
|
|
rfx Tux's lil' helper
Joined: 19 Apr 2023 Posts: 142 Location: de-by
|
Posted: Mon Dec 04, 2023 11:31 am Post subject: |
|
|
+1 sudo |
|
Back to top |
|
|
NichtDerHans Apprentice
Joined: 27 Jan 2023 Posts: 177
|
Posted: Mon Dec 04, 2023 11:36 am Post subject: |
|
|
Naib wrote: | I just use su - to get a root shell |
+1 |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5144 Location: Bavaria
|
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22714
|
Posted: Mon Dec 04, 2023 1:58 pm Post subject: |
|
|
I use a root login on a console for serious maintenance. I use my user in an xterm running /bin/su -l for routine root administration. Also, everything that can be run under setpriv --nnp is, so most of my shells cannot use /bin/su to elevate. |
|
Back to top |
|
|
NeglectedRudderPug n00b
Joined: 04 Oct 2023 Posts: 29
|
Posted: Mon Dec 04, 2023 3:57 pm Post subject: |
|
|
Personally, I just use the command:
From the GUI, and log directly in as root on tty where necessary.
I'm of the view sudo has it's place when you're dealing with multiple users on larger systems where you must regulate and control root access. But on a local system with one user, it's just more convenient to use su, so I don't have to write sudo before each root command. (My root and local account passwords are different though. ) |
|
Back to top |
|
|
tld Veteran
Joined: 09 Dec 2003 Posts: 1845
|
Posted: Mon Dec 04, 2023 4:43 pm Post subject: |
|
|
As many others here, I've never seen any need to do anything other than "su -". At one time I'm sure this is essentially all anyone running Linux used until Ubuntu started that whole trend with no root password, where sudo was the only option. Always disliked that whole idea.
Tom |
|
Back to top |
|
|
spica Guru
Joined: 04 Jun 2021 Posts: 330
|
Posted: Mon Dec 04, 2023 5:27 pm Post subject: |
|
|
I run sudo bash as the dash key is too distant for my pinky. |
|
Back to top |
|
|
grknight Retired Dev
Joined: 20 Feb 2015 Posts: 1927
|
Posted: Mon Dec 04, 2023 5:35 pm Post subject: |
|
|
spica wrote: | I run sudo bash as the dash key is too distant for my pinky. |
This can get you in trouble with environment bleeding in from the user. This can be errors, or at worst, have a bad actor take control if the user is compromised.
It is best to use su - or sudo -i to prevent the environment issues. |
|
Back to top |
|
|
Goverp Advocate
Joined: 07 Mar 2007 Posts: 2181
|
Posted: Mon Dec 04, 2023 7:51 pm Post subject: |
|
|
Naib wrote: | I just use su - to get a root shell |
+1 _________________ Greybeard |
|
Back to top |
|
|
spica Guru
Joined: 04 Jun 2021 Posts: 330
|
Posted: Mon Dec 04, 2023 8:56 pm Post subject: |
|
|
grknight wrote: | spica wrote: | I run sudo bash as the dash key is too distant for my pinky. |
This can get you in trouble with environment bleeding in from the user. This can be errors, or at worst, have a bad actor take control if the user is compromised.
It is best to use su - or sudo -i to prevent the environment issues. |
This is a good point, thanks! |
|
Back to top |
|
|
CaptainBlood Advocate
Joined: 24 Jan 2010 Posts: 3897
|
Posted: Mon Dec 04, 2023 9:51 pm Post subject: |
|
|
Naib wrote: | I just use su - to get a root shell |
+1 _________________ USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. " |
|
Back to top |
|
|
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3734 Location: Rasi, Finland
|
Posted: Mon Dec 04, 2023 11:06 pm Post subject: |
|
|
Looks like I'm in the minority with doas. :o _________________ ..: Zucca :..
My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
Quote: | I am NaN! I am a man! |
|
|
Back to top |
|
|
flexibeast Guru
Joined: 04 Apr 2022 Posts: 468 Location: Naarm/Melbourne, Australia
|
Posted: Mon Dec 04, 2023 11:12 pm Post subject: |
|
|
'su -l' for me also, with the '-l' making sure i don't have a hybrid user+root environment that can create various issues. And, yeah, this is probably because i started using Linux long before Ubuntu's "sudo all the things" approach became widespread.
That said, what potential problems are there with using 'sudo' or 'doas' all the time instead of 'su'? |
|
Back to top |
|
|
coalms n00b
Joined: 28 Nov 2023 Posts: 21
|
Posted: Tue Dec 05, 2023 1:20 am Post subject: Damn |
|
|
To be honest I am baffled by the results up until this point, the points I have seen just up until now are simple, doas is an unofficial port and while some users see it as a vulnerability not having the right kernel access as the bsd og the compactness of code is
su -,sudo -i or any sudo variation is quite hardened spaghetti code which I would have originally though the gentoo community would stay away from
tty is cumbersome to switch all the time and yet the most secure out of all to administer the system without booting to single-user or init=/bin/bash
personally on a daily driver its tty for me and in case I have to leave my machine emerging while I am away from home i prefix my commands with a comma
Code: |
,(){
eval "$@ && exit || exit"
} |
but that is because of my living environment anyhow
nevertheless I was secretly hoping that someone uses an obscure "new" command or something like "root passwd shell /root/mnt/rootusb/bin/bash, auto-mountable encrypted usb, tty12 on /root/mnt/rootusb/dev/tty12 and otherwise disabled unless mounted ,root path points first to /mnt/rootusb/bin, usb unlocks only when the libra sodiac sign aligns with neptune and passes my blood test sample as original and fresh etc etc" |
|
Back to top |
|
|
psycho Guru
Joined: 22 Jun 2007 Posts: 542 Location: New Zealand
|
Posted: Tue Dec 05, 2023 2:08 am Post subject: |
|
|
Depends if we're counting running or just typing them. If I need root access for something unusual I'll type su in a terminal, but I have a few scripts that use sudo to start/stop services or whatever. So on a typical day I'm probably using sudo the most (but I'm not typing it, I'm doing GUI stuff that's using it in the background). Actually typing the instruction though, it's nearly always su. |
|
Back to top |
|
|
flexibeast Guru
Joined: 04 Apr 2022 Posts: 468 Location: Naarm/Melbourne, Australia
|
Posted: Tue Dec 05, 2023 3:05 am Post subject: |
|
|
@coalms:
Well, there are instances where i use (open)doas too. Here's a more complete picture:
* As part of starting up my GUI environment on my (Gentoo) laptop, a kitty terminal is opened, containing several tabs. One of those is a 'root' tab, with an 'su -l' session. Normally i'm in other tabs, but for tasks (or more likely, series of tasks) requiring root, i'll switch to the 'root' tab, switching back to other tabs when local root isn't necessary.
* i use opendoas on my laptop, but for specific tasks requiring different privileges (e.g. using Wireshark), not as a generic tool to do whatever i want as root.
* i use doas on my OpenBSD server, e.g. running a PHP admin script as the 'www' user. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22714
|
Posted: Tue Dec 05, 2023 3:08 am Post subject: Re: Damn |
|
|
I do not recall the state of the code or the configuration language for doas. I recall that the configuration language for sudo is rather unpleasant to work with, and suspect that many sites confer far more sudo privilege than is needed simply because assigning an exactly correct amount is too cumbersome in the grammar. coalms wrote: | personally on a daily driver its tty for me and in case I have to leave my machine emerging while I am away from home i prefix my commands with a comma Code: | ,(){
eval "$@ && exit || exit"
} |
| What is the point of this? If you want the shell to go away, just exec "$@". Using eval is usually wrong. Using CMD && exit || exit looks unnecessarily complex. If you do not want to exec, you could use ; exit instead of the && || combination. |
|
Back to top |
|
|
coalms n00b
Joined: 28 Nov 2023 Posts: 21
|
Posted: Tue Dec 05, 2023 5:31 am Post subject: Re: Damn |
|
|
Hu wrote: | What is the point of this? If you want the shell to go away, just exec "$@". Using eval is usually wrong. Using CMD && exit || exit looks unnecessarily complex. If you do not want to exec, you could use ; exit instead of the && || combination. |
That was a mistake I wrote this from memory, here is the correct one
Code: |
trap 'exit' INT
eval "$@ && exit || exit " || exit
|
It is just excessive fail-safes,I do not have the leniency to stand around my portable device when emerging and for work and living environment related reasons/being around mischievous individuals having my device open is a reason to format and go again, I won't ever leave a xorg server open in these cases but rather use a tty, if I am using the device actively ill just "emerge -xyz @world", if however I have to leave the presence of my device I run ", emerge -xyz @world", simply if emerge fails then exit, if emerge succeeds exit, if exit fails. . . exit, worse case scenario if there was a "cancel exit command" vulnerability someone could take advantage of by spamming ctrl+c or ctrl+z it wourld still exit because of trap
edit: as far as I remember i put the last || exit after the quotes to catch ctrl+z actions, thinking about it I could probably trap these as well,eh food for thought
edit2: just checked online, trapping ctrl+z is more like ctrl+Zombies since the script will never die, dunno if it was why i did so with || exit or not
Last edited by coalms on Tue Dec 05, 2023 5:58 am; edited 3 times in total |
|
Back to top |
|
|
coalms n00b
Joined: 28 Nov 2023 Posts: 21
|
Posted: Tue Dec 05, 2023 5:49 am Post subject: Re: Damn |
|
|
Hu wrote: | I do not recall the state of the code or the configuration language for doas. I recall that the configuration language for sudo is rather unpleasant to work with, and suspect that many sites confer far more sudo privilege than is needed simply because assigning an exactly correct amount is too cumbersome in the grammar. |
iirc doas is cumbersome to configure only on edge cases but very easy to deal with with normal staff, with automation scripts once I wanted to allow non-wheel users to execute a user owned script containing "doas /path/to/non/sticky/bit/root/script" apparently if you want to do so you couldn't use "doas name-of-non-sticky-bit-root-script-without-whole-path-even-if-its-the-first-file-on-path.sh" and you have to allow rights to the user or group to execute that exact path on doas.conf, its very cut and dry since as far as I understood from that interaction it doesn't check the path before executing doas, it just passes $@ to doas as it is and compairs to doas.conf, sudo on the other hand has so many options that I just avoid using it completely, especially when using githab scripts I go by interpreting the intended purpose based on the man page and do it by hand, I am probably the most backwards person in this poll tbh and that is why I started it, wanna see what's up with your interactions, but then again just like you said sites give more sudo privilages than they need to so I tend to be safe |
|
Back to top |
|
|
|