I used to think I loved these things. But,I recently attempted a sane task, and lost 3 fucking days of my life. Maybe I'm just an idiot, but I feel Linux needs to die.
All I wanted was to have a sudo user be able to read /var/log/auth.log.
Created a tight ass sudoers file, but protection mechanisms for less relied on environmental variables.
Fine. Added read only variables to profile.d, protected it with env_keep. Uh-oh, local variables can be forgotten if new scope is invoked! Not to mention read only variables can be unset with a weird gdb 'feature.'
Only way I got around this bullshit was to force the power-user to use ssh locally as a wrapper for ForceCommand. I had to write ~90 lines of code over all to make a relatively safe wrapper to sanitize $SSH_ORIGINAL_COMMAND, because SSH sucks apparently.
tldr: Linux sucks unless it's running FLASK. You can't prove me wrong. Windows master race.
unset LESSSECURE > /dev/null 2>&1 if [ $? -ne 0 ]; then gdb &1 attach $$ call unbind_variable("LESSSECURE") detach quit
Lest anyone think I'm lying, place the above in any .bash* file.
Parker Morris
chown root:wheel /var/log/auth.log wow that was fucking difficult
Camden Morgan
wait were you trying to lock down users you'd given sudo to but allowed them to run gdb? lol
sudoers is not there for you to lock down user access. it is there so users can perform certain actions, or all actions, as root (superuser). sudo access is ONLY given to trusted individuals. it is not the place to prevent said individuals from wrecking your shit, because once a user can run ANYTHING as root, you're opening up a whole world of potential exploits.
use groups for this shit, or (if you need finer control) something like apparmor/selinux/whatever.
Zachary Lopez
And they say this board isnt for advice :^) thanks senpai user ALL= (root) !/bin/less /var/log/*[ ]* user ALL= (root) !/bin/less /var/log*[[\:blank\:]]*
Shit gets more difficult if you want to actually use sudo for anything
Easton Perry
What if it is a bot checking basic stats? I'd trust ssh scripts over snmp any day. Ain't hard to add flexibility to ForceCommand.
Levi Perez
Honestly, that's an XY problem. The true issue here is that you don't have a log aggregator. Logs should be pushed, not pulled. It solves a ton of problems like this. Look into the ELK stack ~~
Kayden Wright
Wow. I'm actually really grateful for this. If it isn't obvious, I'm kinda new with Linux. Just figured I'd insult Linux to get a few comments.
hope i dont get banned. lol
Jordan Barnes
People insult every OS on this board all of the time. It's part of board culture. You just happened to catch one of the few experienced Linux sysadmins on here instead of a bunch of Archfags who don't know dick. Best of luck.
Thomas Williams
Here's a meme to sanitize your thread from janny.
Grayson Moore
> IMAGINE BEING AT COMPUTERS
Joshua Powell
literally looked at this meme every time for years and only recently realized that its not
Ayden Gutierrez
sudo thread? yay anyone have any idea why my user ALL=(restrict) NOPASSWD: /bin/zsh
isn't working?
Brayden Nelson
what are you trying to do with this?
Kayden Long
su into a user that doesn't have network access without a password but I plan on using something similar for firewalling IRC as well
Jonathan Morgan
kinda interested in more context but okay. so I'm assuming user is the user with the power to become restrict, and restrict is the user without network access. ergo sudo -u restrict "/bin/zsh" (as user) what happens?
Christian Garcia
>kinda interested in more context but okay. that's all there is to it, it's just for running untrusted programs the problem was unix.stackexchange.com/questions/18830 by the way
maybe I should make a "people who are actually paid to manage linux general" except it would be a ghost town
Ryan King
Hey man. That might be, but you could spout conventional wisdom like and save many well intention idiots/fools/me some heartache. Lot of us not looking for handouts. We'll do our homework, but we need to know what our homework is. The debian handbook ain't cutting it. I'll read rfc's and man pages, and /usr/doc till I'm blue. I just need leads/direction.
I dont have 5 years to dedicate to this...
Recommended reading. Anything really.
Ryder Johnson
In my experience, a *lot* of the leads/direction you seek are actually industry trends, not technical knowledge. Look at new products and popular open source projects and what they're trying to solve and why. You will learn a bunch.
Henry Long
Also, another nugget of wisdom I have picked up: if you spend more than a day trying to get something working, and - crucially - you aren't making significant headway, you are probably going about it the wrong way. There is almost always an easier way, or a good reason (usually contained in a StackOverflow post) out there why things aren't done in that way usually.
The principle of least effort is very important in the sprawling world of being a sysadmin. I don't mean be lazy - I mean if you start feeling like you have to hit a system with a metaphorical hammer to get what you want, you should be concerned and googling a little harder. Because your problems should be common problems that have been eroded into simple solutions over time. You'll only come up truly unique issues once in a blue moon (and usually because the business you work for wants something really, really stupid).
Benjamin Watson
Fair enough. Guess I need some initiative. Then again I guess our needs only partially overlap. More of a bug-hunting pentester then a sysadmin. Guess I need to learn more than PCI-DSS and the like.
Thanks for the perspective. I always heard Sup Forums was a nexus for negativity. Doesn't seem so bad.
Ethan Ward
Also, holy shit. Logstash and kibana are sick. Between them and saltstack, my dreams of owning a secure mid-sized network are coming true.
Hunter Rogers
No matter what your needs, development knowledge + sysadmin knowledge will be a huge help. Doesn't mean you need to train for it specifically beforehand, though. The key is reading up on shit when you run into a problem instead of immediately trying to solve it.
It's incredible how many people will only use the tools they know to solve problems instead of jumping into research mode first. THAT is the trap I've seen so many colleagues fall into and why they fail to advance.
The mindset should be "How did other people solve this?" not "How am I going to solve it?" And if it is a problem unique to you, you should definitely be able to answer the question "Why am I the only person with this problem?"... which, when properly answered, often leads to the discovery that you've made a previous misstep. Or that your boss has asked for something literally impossible.
I know it probably seems like I'm belaboring the point but I can't tell you how many people I've met that aren't good at that mindset switch. They feel they have to "prove" their own knowledge when an issue comes up, which is exactly what prevents them from learning anything new.
Luis Stewart
That...kinda hit closer to home than I expected. Damn. Well, at least I know where to start now. At the risk of sounding obsequious, this really did help.
I am literally one of those people you described. Hope y'all keep the thread comfy. Also, you should totally write a blog. I'd browse it at least.
Robert Morris
I recently put one up but haven't updated it with anything useful of yet. Was mostly a test with static site generators + AWS services
Carson Brown
awk.space
I have a post in the pipe about my experiences fucking around with a raspi. Not the usual shit, I learned about something called a framebuffer and messed around in that. Should finish it soon. Work is keeping me busy though.
