Consolidated Business & Enterprise Computing Rant Thread

Discussion in 'Business & Enterprise Computing' started by elvis, Jul 1, 2008.

  1. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    36,639
    Location:
    Brisbane
    Yeah, we've had complex sudo rules limited to triplets of user account, workstation and specific commands in production for 30 years now.

    But, you know, Microsoft released a great terminal app the other day. Yay for them catching up with the rest of the world on a few different fronts. Better late than never.
     
    Last edited: May 10, 2019
  2. waltermitty

    waltermitty Member

    Joined:
    Feb 19, 2016
    Messages:
    964
    Location:
    BRISBANE
    Wait till they discover doas(1)
     
  3. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    12,096
    Location:
    Canberra
    ALL=(ALL) NOPASSWD: ALL

    ?

    lol
     
    GumbyNoTalent likes this.
  4. chip

    chip Member

    Joined:
    Dec 24, 2001
    Messages:
    3,668
    Location:
    Pooraka Maccas drivethrough
    the secure administrative workstation concept has been a thing in Windows land since Win 2000, problem is that most Windows shops couldn't be arsed to implement them.
     
  5. tensop

    tensop Member

    Joined:
    Mar 26, 2002
    Messages:
    1,413
    if you've read the PAW guide you can sort of see why
    its an instant eye glazer
     
  6. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,281
    And how do they work out in production for you?

    The reason it's rarely done, hasn't been technical for a very long time.
     
  7. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    7,378
    Location:
    Briz Vegas
    Yeah in Linux we call that the "commandline" usually keeps people who have NFI from doing anything, like Windows Admins. ;)
    However in all seriousness isn't this why you have privileged accounts and user accounts, thus not surfing the web on a privileged account and then doing important stuff on privilege account should be seperate and even on a per server basis? I thought that is why MS had such a complex AD structure to allow such things to occur? Or (here comes the swipe) has MS stuffed up user space so much you now need to physically seperate software activities? :)
     
  8. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    36,639
    Location:
    Brisbane
    For me? Fine. Puppet rolls it out securely, policies are enforced, shit works.

    I'm interviewing around at the moment for a new gig, and I'm pleased to see the same in a lot of places. Substitute "Puppet" for Chef/Salt/Ansible, but the result is the same. Most folks are doing a pretty good job of it. (Worth noting that most of the people who work on those places don't post on forums or social media, which fascinates me about the Internet echo chamber).

    About the only people who fuck it up are Windows shops where they put a Linux appliance in the corner and proclaimed loudly that "Linux is too hard", so everyone gets root access, and all problems are solved with "chmod -R 777". Apparently ACLs are "easy" but UNIX permissions are rocket surgery?
     
    GumbyNoTalent likes this.
  9. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,281
    A little from column A, a little from column B.

    You've got $Shitware LOB app that only works on Windows 7, and needs Local Admin and Java 6 to run.
    So even though I've got a PabloSA and PabloDA account (server admin, domain admin) as soon as I run anything as them on my Win7 machine, which my normal account is local admin, a malicious admin can make use of the myriad tools to grab my hash, or steal the password from memory.
    I can run a PAW on the latest build of Windows 10, with all the cool credgaurd stuff enabled, still be able to use $Shitware, and be in a much better position, security wise.

    Infosec is like an Onion... It makes me cry



    How much of an impasse is it for the people that have to work with/through them? does every just end up going sudo su because it's easier/quicker?


    There's always going to be a security -> usability trade off PAW's are just another thing to include when weighing up the pros and cons of a given design.
     
    GumbyNoTalent likes this.
  10. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    7,378
    Location:
    Briz Vegas
    :thumbup: best analogy of infosec ever!
     
  11. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    36,639
    Location:
    Brisbane
    This is beginning to feel like the discussions I have with my (now employed for 2 years) work offsider who's a Windows admin by trade, and still struggling to grok Linux on a daily basis.

    No, I don't need to give everyone sudo for shit to work. In fact, fewer than 1% of our staff population have sudo access, and the people who do require it for very specific reasons, so they get exactly what they need (account/command/host triplet) and no more.

    It's no impasse. Everything works as needed, production keeps trucking on 24x7.

    Compare and contrast to the Windows boxes we roll out, where there's constant requests for admin access to do basic things that really shouldn't require it. Is that Microsoft's fault? Most of the time, no. It's shitty third party vendors doing very, very dumb things. But with that said, the Windows ecosystem enables them to do said dumb things. Under Linux most things happily run in user space where they belong. So, for example, when we fire up some shithouse (yet insanely expensive) Autodesk application in Windows that needs admin access to work, we find it doesn't need that at all under Linux to work. So as much as we can blame the third party for doing dumb shit, I can also comment that one environment encourages laziness, and one does not. There's no one vendor singularly at fault there. It's a combination of laziness from a combination of sources.

    So again, the assumptions that it's all the same as Windows are wrong. Sudo is not difficult to configure securely nor usefully. Sudo is not difficult to roll out. Sudo does not need to be lazily applied so everyone is root all the time to work. It's no impasse, and has been around and working in competent sites for a long time (since 1980, according to Wikipedia). Windows (and its DOS heritage) started life as a single user OS, and has struggled to morph into a secure multi-user OS with functional privilege separation. And to be perfectly fair, Linux suffers similar growth pains but in reverse - an enterprise, multi-user, secure, server oriented operating system that has struggled to gain a foothold on the desktop due to being "too hard" for "regular people" to do "easy things", precisely because of all that security and privilege separation. Both operating systems are constantly improving toward a middle ground of usability and security (Windows 10 is far more secure than previous versions, and modern desktop Linux is far easier to use by regular numpties than in years gone by). So with all cynicism aside, I do celebrate the fact that Windows is getting shit right that Linux did 20 years ago, and likewise in reverse when Linux does the same and makes something easy to do without needing a degree in CompSci. But, back to the quoted text above, no, Linux doesn't suffer the same security blunders Windows does (whether by design or by generations of bad habit).
     
  12. tensop

    tensop Member

    Joined:
    Mar 26, 2002
    Messages:
    1,413
    What does computer science have to do with IT? :p
     
  13. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    36,639
    Location:
    Brisbane
    /thread
     
  14. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,599
    Location:
    Canberra
    Except windows permissions have been easy as fuck for about 2 decades.
     
  15. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    7,378
    Location:
    Briz Vegas
    NIX permission easy as fuck 4 decades, configure sudo not to allow su easy as fuck for 3 decades. NIX allowing shitware only to run in non privileged mode easy as fuck for 30 years. Is MS who write Windows suggesting you need to have a hardware seperation not a software one, I guess they would know how secure their OS is as they write it.

    Sudo - su is for lazy fucks, same as Windows admins doing <INSERT LAZY SECURITY>.
     
  16. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    36,639
    Location:
    Brisbane
    If by "permissions" you mean "admin" or "not admin", sure. Win2K did that well enough, I guess.

    Was a little harder to tell Win2K to give a certain person rights to run a certain binary as another arbitrary (not always the root/system) user on a certain class of machines, while ensuring certain environment/shell conditions did or did not exist, and certain binary and library path conditions did or did not exist. Because that's what sudo could do at the same point in time.

    Complex? Perhaps. But you can do a whole lot more useful stuff than just the extremes of "pleb" or "God of destruction" rights.

    And again, it's great that Windows is finally catching up, now. I wish it had that 20 years ago, but better late than never.

    Alternatively if you're talking about on-disk permissions, I'm not. I'm talking about what sudo (and now PAW) were designed for.
     
    Last edited: May 11, 2019
  17. wintermute000

    wintermute000 Member

    Joined:
    Jan 23, 2011
    Messages:
    1,870
  18. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    36,639
    Location:
    Brisbane
    I don't know a sysadmin worth their pay cheque who would even consider Canon printers.

    Only bean counters make those sorts of stupid calls. And if you want bean counters to run your technology department, you get technology that works as well as a bean counter would as a sysadmin.
     
  19. looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    24,633
    Valid point, however the device in that link isn't a printer though, it's a scanner.
     
  20. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,599
    Location:
    Canberra
    no?

    https://social.technet.microsoft.co...-server-default-user-accounts-and-groups.aspx

    Its no fucking different from anything. Build a Group, create a GPO that configures policy, configure what conditions said policy will apply, add users/devices to group.

    App problems are absolutely key - but plenty of people have used procmon and grant rights to do things that "require admin rights because i am a lazy vendor" in environments that don't have it. Sure this is bleeding into soe's and software packaging - and the skills to do that - but don't try and tell me that building selinux or sudo for random end-user cots applications is linux101.

    You know what I want? An OS that was *never* designed to be a general unwashed masses OS, that when you turn it into one, you get some pretty curated software to finely control that experience - rather than the typical Windows platform in SME where people run any random piece of shit app that has 2 parts fuck all to no care for security.

    User Rights Assignment has existed since 2k. Probably NT as well - but I'm not that old.

    Neither - but in terms of grouping all of this shit - Windows just treats it the same. Obv. you need GPO or some form of local policy distribution, which gets as fucking granular as you want it to be.

    UAC is obviously another level on top - but most of these rights existed a *long* time ago.
     
    Last edited: May 11, 2019

Share This Page

Advertisement: