Jump to content

Inventing the Unix "sudo" command. Interview with Bob Coggesha


securitybreach

Recommended Posts

securitybreach

"It was just one of those nights. We were sitting at the O'Neil's San Mateo Pub, taking a break after a long day at the Maker Faire. Hackaday was hosting an informal drink-up and a steady stream of colorful characters was just started flowing in. That's when we met [Robert Coggeshall]. It started off as a normal discussion - he runs [small Batch Assembly] and does a lot of interesting things in the maker space. Then he brought up a fascinating detail - "Oh, did you know I also co-invented sudo back in the 80ies?" we had to get the story from him."

 

Read the entire article: https://hackaday.com...x-sudo-command/

 

http://www.youtube.com/watch?v=LaAwl3HN5ds

 

  • Like 4
Link to comment
Share on other sites

Super read I liked the comments section.

 

Following the breadcrumbs I started to read up about su and sudo as I did not know what " su - " or " su -c " and such like were. :breakfast:

  • Like 1
Link to comment
Share on other sites

securitybreach

Super read I liked the comments section.

 

Following the breadcrumbs I started to read up about su and sudo as I did not know what " su - " or " su -c " and such like were. :breakfast:

 

Glad to help. Personally, I use su - and su -c all the time. I used sudo as well when needed.

Link to comment
Share on other sites

Wish I had known about those commands years ago. Funnily enough I have never seen them in any of the loads of articles and guides I have read. :breakfast:

  • Like 1
Link to comment
Share on other sites

I really like sudo -i since that "sort of" lets you log in as root. If you plan to do a bunch of sudo commands you won't have to type "sudo" before each one. Then you just exit and you are back to a user shell.

  • Like 1
Link to comment
Share on other sites

In the past, I would go with how the distro was set up -- like, I'd use sudo in Ubuntu and Mint, but I'd use su in other distros. Lately, I mostly use sudo in every distro I run. Hotly-debated topic, this "su vs. sudo" stuff. But when it comes to Linux, I guess there's never been a shortage of hotly-debated topics! I thought it was kinda funny reading the comments following the article, where folks seemed to be getting bent out of shape about the "correct" pronunciation. Whatever.

  • Like 2
Link to comment
Share on other sites

Well I can see the benefit of sudo when you have a few different users now that I have read around the subject a bit more. Personally I prefer to use su as with coloured output you can see when you are root at a glance.

I do have sudo as pacaur needs it and I am not at the stage where I want to manage AUR packages without a helper.

I thought the comments were quite amusing too regarding pronunciation. Reading around the subject it I am finding articles or guides where folk are told, add your user to the sudoers file and and wheel group and do something like (can not remember the exact off hand) " ALL=ALL " which basically gives the user root for everything. I find the whole thing confusing and need to read more about sudo. It is just another layer of stuff that you need to grasp the meaning and usage of and for a single user I feel it is not necessary and trending away from the KISS principle.

A good tool perhaps but so is a petrol driven 12" stone saw and how many folk need one of them in daily life ?

 

:breakfast:

 

Mind you I could do with a stone saw for a few days as I want to alter me driveway :Laughing:

  • Like 1
Link to comment
Share on other sites

Yeah, seems to me that sudo is not necessary, especially on a single-user system. It's just another tool. And I've had to do some reading to figure out how to set things up and all that.

 

All that being said, seems okay to use, for me, on my single-user systems. I'm finding that in the end it isn't such a big deal; seems like a nice tool to have around. I figured I'd go for it and see how I felt about it myself. Who knows, maybe down the road I'll go back to using only su.

 

A good tool perhaps but so is a petrol driven 12" stone saw and how many folk need one of them in daily life ?

 

Ha-ha! Well, I'd say that sudo is a heck of a lot more useful in my daily life than a petrol driven 12" stone saw would be!

  • Like 2
Link to comment
Share on other sites

Ok so I have done some more reading and have a question.

 

On Arch is it possible to just allow "me + root" to use pacaur with sudo. That is take "me" out of the wheel group, create a group that only allows pacaur.

Or could I take "me" out of the wheel group and just use " sudo -c or sudo -i or sudo - " ?

 

These are the man entries for -c and -i,

 

 

-c class -c class, --l

-c class, --login-, Run the command with resource limits and scheduling priority of the specified login class. The class argument can be either a class name as defined in /etc/login.conf, or a single ‘-’ character. If class is -, the default login class of the target user will be used. Otherwise, the command must be run as the superuser (user ID 0), or sudo must be run from a shell that is already running as the superuser. If the command is being run as a login shell, additional /etc/login.conf settings, such as the umask and environment variables, will be applied, if present. This option is only available on systems with BSD login classes. -i login Run the shell specified by the target user's password database entry as a login shell. This means that login-specific resource files such as .profile or .login will be read by the shell. If a command is specified, it is passed to the shell for execution via the shell's -c option. If no command is specified, an interactive shell is executed. sudo attempts to change to that user's home directory before running the shell. The command is run with an environment similar to the one a user would receive at log in. The Command environment section in the sudoers(5) manual documents how the -i option affects the environment in which a command is run when the sudoers policy is in use. There is also this dealing with using an editor with sudo which I have never come across before,

 

Secure editing

The sudoers plugin includes sudoedit support which allows users to securely edit files with the editor of their choice. As sudoedit is a built-in command, it must be specified in the sudoers file without a leading path. However, it may take command line arguments just as a normal command does. Wildcards used in sudoedit command line arguments are expected to be path names, so a forward slash (‘/’) will not be matched by a wildcard. Unlike other sudo commands, the editor is run with the permissions of the invoking user and with the environment unmodified. More information may be found in the description of the -e option in sudo(8). For example, to allow user operator to edit the “message of the day” file:

operator sudoedit /etc/motd

The operator user then runs sudoedit as follows:

$ sudoedit /etc/motd

The editor will run as the operator user, not root, on a temporary copy of /etc/motd. After the file has been edited, /etc/motd will be updated with the contents of the temporary copy. Users should never be granted sudoedit permission to edit a file that resides in a directory the user has write access to, either directly or via a wildcard. If the user has write access to the directory it is possible to replace the legitimate file with a link to another file, allowing the editing of arbitrary files. To prevent this, starting with version 1.8.16, symbolic links will not be followed in writable directories and sudoedit will refuse to edit a file located in a writable directory unless the sudoedit_checkdir option has been disabled or the invoking user is root. Additionally, in version 1.8.15 and higher, sudoedit will refuse to open a symbolic link unless either the sudoedit_follow option is enabled or the sudoedit command is prefixed with the FOLLOW tag in the sudoers file.

 

 

A very puzzled barbarian :breakfast:

Link to comment
Share on other sites

V.T. Eric Layton

Back in my Ubuntu days, I ran su. I also set up Arch to use su primarily when I was running that OS, but I don't remember exactly how I did that... it was a long time ago.

  • Like 1
Link to comment
Share on other sites

Ok so I have done some more reading and have a question.

 

On Arch is it possible to just allow "me + root" to use pacaur with sudo. That is take "me" out of the wheel group, create a group that only allows pacaur.

Or could I take "me" out of the wheel group and just use " sudo -c or sudo -i or sudo - " ?

 

I wish I knew enough to be able to give you good answers. I use yaourt here instead of pacaur. And I don't use AUR all that much, just a few apps from there -- I try to keep it at a minimum. On my Arch system, yaourt uses sudo, when necessary. I dug through my notes and looked at man pages to see if I could point you in the right direction, but I gave up after a while.

 

Anyway, why not keep using pacaur as you're doing right now?

 

By the way, I finally got around to installing Debian Stretch on my "main" computer, with KDE and Openbox. Did a netinstall. I thought it was interesting that sudo was included by default, but it wasn't set up yet. I mean, steve (me) wasn't in group=sudo, so all I did was run the following:

 

# adduser steve sudo

 

That did the trick, and now I'm having no problem using sudo in this installation.

 

I also thought it was interesting that nano was already installed, and that visudo used nano by default. Which is nice for me because I'm not so good at using vi. In Arch, I had to set visudo to use nano.

  • Like 1
Link to comment
Share on other sites

Thanks saturnian.

 

I will keep on using pacaur for now. I also do not have a great deal of AUR packages but some are essential for me. I am really trying to gain a better understanding of su and sudo which I am slowly beginning to understand.

 

I think the commands for vi are mostly the same for vim. As with nano you really only need the most basic commands like so,

 

Vim, there are three commands useful to remember.

:q - just quit/close

:q! - quit ignoring changes

:wq - write changes and quit

 

Sounds like you guys area having a lot of fun with Stretch from all the posts here. Enjoy :breakfast:

  • Like 1
Link to comment
Share on other sites

Hedon James

Myeh... sudo is just virtual su. I don't do virtual. ;)

 

And yet, here you are...an esteemed virtual friend in our virtual computer club?! B)

  • Like 2
Link to comment
Share on other sites

V.T. Eric Layton

Well, it's possible our entire known Universe is just a SIM game on some pimply-faced reptilian kid's quantum computer.

  • Like 1
Link to comment
Share on other sites

Hedon James

Well, it's possible our entire known Universe is just a SIM game on some pimply-faced reptilian kid's quantum computer.

 

welcome to the matrix. red, or blue?

  • Like 1
Link to comment
Share on other sites

securitybreach

Wish I had known about those commands years ago. Funnily enough I have never seen them in any of the loads of articles and guides I have read. :breakfast:

 

That's how it goes.

 

I haven't sudo'd since I was last in Debian or Ubuntu. In Slack, it's su all the time. :)

 

Well you could install it if you wanted to. I actually use both, depending on what I am doing.

  • Like 1
Link to comment
Share on other sites

securitybreach

I really like sudo -i since that "sort of" lets you log in as root. If you plan to do a bunch of sudo commands you won't have to type "sudo" before each one. Then you just exit and you are back to a user shell.

 

I didn't know about that one as I usually use sudo su for that. Thanks

Link to comment
Share on other sites

securitybreach

Myeh... sudo is just virtual su. I don't do virtual. ;)

 

Actually its more secure because:

 

This is a key difference between su and sudo. Su switches you to the root user account and requires the root account's password. Sudo runs a single command with root privileges – it doesn't switch to the root user or require a separate root user password.

https://www.howtogee...etween-sudo-su/

 

That is why I mentioned that I use both of them. You can have it ask for the root password for some things whereas others will ask for the sudo password which is the user's password.

  • Like 1
Link to comment
Share on other sites

securitybreach

 

Secure editing

The sudoers plugin includes sudoedit support which allows users to securely edit files with the editor of their choice. As sudoedit is a built-in command, it must be specified in the sudoers file without a leading path. However, it may take command line arguments just as a normal command does. Wildcards used in sudoedit command line arguments are expected to be path names, so a forward slash (‘/’) will not be matched by a wildcard. Unlike other sudo commands, the editor is run with the permissions of the invoking user and with the environment unmodified. More information may be found in the description of the -e option in sudo(8). For example, to allow user operator to edit the “message of the day” file:

operator sudoedit /etc/motd

The operator user then runs sudoedit as follows:

$ sudoedit /etc/motd

The editor will run as the operator user, not root, on a temporary copy of /etc/motd. After the file has been edited, /etc/motd will be updated with the contents of the temporary copy. Users should never be granted sudoedit permission to edit a file that resides in a directory the user has write access to, either directly or via a wildcard. If the user has write access to the directory it is possible to replace the legitimate file with a link to another file, allowing the editing of arbitrary files. To prevent this, starting with version 1.8.16, symbolic links will not be followed in writable directories and sudoedit will refuse to edit a file located in a writable directory unless the sudoedit_checkdir option has been disabled or the invoking user is root. Additionally, in version 1.8.15 and higher, sudoedit will refuse to open a symbolic link unless either the sudoedit_follow option is enabled or the sudoedit command is prefixed with the FOLLOW tag in the sudoers file.

 

 

 

A very puzzled barbarian :breakfast:

 

 

That seems very over complicated. I have never read anything about that. I just run EDITOR=vim visudo as root which opens up the sudoers file with vim. You could easily just run EDITOR=nano visudo as show on the wiki.

 

I will read up on the other and tell you what I think.

Link to comment
Share on other sites

securitybreach

# adduser steve sudo

 

That did the trick, and now I'm having no problem using sudo in this installation.

 

I also thought it was interesting that nano was already installed, and that visudo used nano by default. Which is nice for me because I'm not so good at using vi. In Arch, I had to set visudo to use nano.

 

I have never heard of using the sudo group, I didn't even know it existed. Normally, the wheel group takes care of all that:

 

The wheel group is a special user group used on some Unix systems to control access to the sudo command, which allows a user to masquerade as another user (usually the super user.

https://en.wikipedia...heel_(Unix_term)

Link to comment
Share on other sites

I have never heard of using the sudo group, I didn't even know it existed. Normally, the wheel group takes care of all that:

 

The wheel group is a special user group used on some Unix systems to control access to the sudo command, which allows a user to masquerade as another user (usually the super user.

https://en.wikipedia...heel_(Unix_term)

 

I don't know. I got it straight from the Debian wiki -- from the "Verifying sudo membership" section, here: https://wiki.debian.org/sudo

  • Like 1
Link to comment
Share on other sites

I have never heard of using the sudo group, I didn't even know it existed. Normally, the wheel group takes care of all that:

 

The wheel group is a special user group used on some Unix systems to control access to the sudo command, which allows a user to masquerade as another user (usually the super user.

https://en.wikipedia...heel_(Unix_term)

 

I don't know. I got it straight from the Debian wiki -- from the "Verifying sudo membership" section, here: https://wiki.debian.org/sudo

 

Arch has its own little perculiarities. o:)

Link to comment
Share on other sites

Secure editing

The sudoers plugin includes sudoedit support which allows users to securely edit files with the editor of their choice. As sudoedit is a built-in command, it must be specified in the sudoers file without a leading path. However, it may take command line arguments just as a normal command does. Wildcards used in sudoedit command line arguments are expected to be path names, so a forward slash (‘/’) will not be matched by a wildcard. Unlike other sudo commands, the editor is run with the permissions of the invoking user and with the environment unmodified. More information may be found in the description of the -e option in sudo(8). For example, to allow user operator to edit the “message of the day” file:

operator sudoedit /etc/motd

The operator user then runs sudoedit as follows:

$ sudoedit /etc/motd

The editor will run as the operator user, not root, on a temporary copy of /etc/motd. After the file has been edited, /etc/motd will be updated with the contents of the temporary copy. Users should never be granted sudoedit permission to edit a file that resides in a directory the user has write access to, either directly or via a wildcard. If the user has write access to the directory it is possible to replace the legitimate file with a link to another file, allowing the editing of arbitrary files. To prevent this, starting with version 1.8.16, symbolic links will not be followed in writable directories and sudoedit will refuse to edit a file located in a writable directory unless the sudoedit_checkdir option has been disabled or the invoking user is root. Additionally, in version 1.8.15 and higher, sudoedit will refuse to open a symbolic link unless either the sudoedit_follow option is enabled or the sudoedit command is prefixed with the FOLLOW tag in the sudoers file.

 

 

 

A very puzzled barbarian :breakfast:

 

 

That seems very over complicated. I have never read anything about that. I just run EDITOR=vim visudo as root which opens up the sudoers file with vim. You could easily just run EDITOR=nano visudo as show on the wiki.

 

I will read up on the other and tell you what I think.

 

I think you read this too fast as it is not talking about which editor to use for altering the sudoers file.

 

Using sudoedit as a normal user allows that user to write/make/alter files that are root access only.

 

This for example does not allow you to alter fstab,

 

$ nano /etc/fstab
bash: $: command not found

 

whereas

 

$ sudoedit /etc/fstab

 

I have tested it and it works as advertised. This will save me a lot of typing as I will not need to su to root and then open a editor and then su back to my normal user.

 

Amazing what you can learn if only you RTFM :Laughing: mind you understanding the man pages can be a tad difficult for me :'(

Edited by abarbarian
Link to comment
Share on other sites

Well, it's possible our entire known Universe is just a SIM game on some pimply-faced reptilian kid's quantum computer.

 

There must be something to the theory as the beeb have made a series around the subject,

 

 

Planet B is a science fiction drama series first broadcast on BBC Radio 7 on 2 March 2009 as part of BBC Radio's science fiction season between February and March 2009.[1] Planet B is set in a virtual world called "Planet B" in which people play as life-size avatars. The first series follows John Armstrong who attempts to find girlfriend Lioba Fielding who is dead in the real world but alive in Planet B. As he travels between various worlds he becomes entangled in an array of strange scenarios, teleporting from each adventure to the next with his companion Medley, a "rogue avatar" who has no human controller. All the while, John and Medley are being watched by a dog-like antivirus programme called Cerberus who, along with the Planet B Corporation, considers the rogues to be a computer virus that need to be wiped out. In the second series, Lioba is on the run from Planet B and travels the virtual world with computer games expert Kip Berenger after they are attacked by Cerberus.

The series was created by Sam Hoyle, Jessica Dromgoole and Matthew Broughton with James Robinson. The first series ran for ten episodes and was BBC Radio 7's biggest ever commission for an original drama series.[2] A second series of five episodes was broadcast from 29 November 2009 to 27 December.[3] A third series started on 30 January 2011.[4]

 

As all dram has some element of real life in it there may be some truth in the concept. Also apparently folk are spreading the news via usb sticks as entertainment. Be warned do press play if finding such material as you will loose hours of your real life if not life itself. :shifty:

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...