[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to patch a physically weak system & recommended use of sudo?

Tim wrote:
> Hello
> 1. I have a old computer that is slow and has little memory. But I
> want to keep it updated with patches. I can't compile these patches
> on the system but I could do it on another faster system. But how can
> I later apply the compiled patches to the weak system?

In addition to the previously mentioned release(8) process (also
documented here: http://www.openbsd.org/faq/faq5.html#Release), there is
another thing you could do:  run snapshots.  They will have all the
security and reliability updates (before they are in -stable, in fact),
but also feature updates.

> 2. Alot of you seem to use sudo instead of su - when you want to do
> something that requires privileges. Why is this? What settings are
> you using for sudo?

Took me a while to get interested in sudo, which is unfortunate.  Way
cool program.

When I set up an OpenBSD system, one of the first things I do is create
a personal user for myself, put myself in the wheel group, configure
sudo to let wheel users do anything, log in as that user, and disable
root logins.  Completely disable.  This does a few things...
  1) Ensures that random PW guessing attacks at "root" will not succeed.
 (this isn't a huge security gain, but from completely random attackers,
it gives them two things to guess, not just one.  If you are going after
me personally, yeah, not so hard: my most common user name is 'nick' :)
  2) Ensures that for systems that have to be administered by multiple
users (i.e., business users), that there is no one user who has "more"
access than any other, and thus, you have full redundancy in maintainers.
  3) In multiply administered systems, you don't have to share any
passwords between administrators.  Sharing PWs is a bad thing, m'kay?
(su requires sharing of root PWs)

note: while this is a nice trick for OpenBSD, be careful using it on
lesser Unixes -- many need a PW for root access for single user mode (by
default at least).

As mentioned elsewhere, you can also restrict what people do on a system
-- for example, I have set up "controlled" firewalls for schools, where
a teacher could turn on and off Internet connections in their classroom.
 You might not want the teacher to have full access to all functionality
in the firewall, but they do need root-level access to change the filter
rules.  So, permit the proper commands with sudo, wrap it all up in nice
scripts, and it becomes very easy and very transparent.  Try that with
"su" :)  Note that in this case, it isn't that I distrust the teacher's
intent, I just don't trust their knowledge of Unix administration, and
don't want them having accidents... if I didn't trust at least their
intent, I don't think I'd let 'em in. :)

Try it, it's addictive. :)