S3E21: "Sussudo"

Posted
Comments 0

Navigation
Previous EpisodeNext Episode
Log
Recorded (UTC) Aired (UTC) Editor
2018-12-10 03:10:54 2018-12-17 00:15:08 "Edita"
Verification
Format SHA256 GPG Audio File
MP3 e1ecd4346cdb823c64b41f2dfcee87b6db119262bd119cfaebbb7a823fe8515f click click
OGG 57c99f2aec28384f3c67f7aad78667b6ecc1fbe7d354d52fa3303c28da99d2c7 click click

News

Notes

Starts at 17m06s.

I was drinking chamomile tea and a Shock Top Lemon Shandy. Paden was drinking a Coors Lite. Jthan was drinking Wasmund’s Rappahannock..

  • Sudo in-depth
    • Resources:
    • When to su vs. sudo?
    • sudo -i vs sudo su
    • Auditing:
    • Use visudo. It checks syntax and will prevent you from locking yourself out of sudo.
    • sudo [-U <user>] -l will list privileges you or another user has access to.
    • Be sure to use double double quotes ("") to disallow args to whitelisted commands!
    • Be VERY careful with e.g. sudo less, sudo more, sudo vi, etc.! These can spawn subcommands/subshells! Specify NOEXEC (or use groups-based permissions on e.g. log files instead, etc.)
      • Alternatively, write a specific script that ONLY spits out specific files to stdout.
    • Sudoedit is a special command that uses the invoking user’s $EDITOR, shell escapes, etc. and uses a temp file before writing to the (protected) destination file.
    • MOST of the invoker’s environment variables are stripped/sanitized.
    • We didn’t talk a lot about it, but Sudo supports LDAP.
    • Sudo can also enforce checksumming for scripts!
    • Sudo is useful in that it will let you “become” another user for debugging environments/perms/etc. via sudo -i [-u <user>] (leave -u off for a more proper sudo su replacement!)
      • For example, to debug Nginx issues, I will frequently open a shell as the nginx user: chsh -s /bin/bash nginx; sudo -i -u nginx; chsh -s /sbin/nologin nginx

Sysbadministration Award

In this segment, we highlight system administration mistakes. Think of them as the IT equivalent of the Darwin Awards. (49m40s)

Quora got they asses smacked, but it took them a week to announce it.

Errata

Music

Music Credits
Track Title Artist Link Copyright/License
Intro Take Your Time Bio Unit click CC-BY-NC 4.0
Outro Aimer, c'est ce qu'il y a de plus beau Monplaisir click CC0 1.0
(All music is royalty-free, properly licensed for use, used under fair use, or public domain.)

Author
Categories

Comments

There are currently no comments on this article.

Comment...

Enter your comment below. Fields marked * are required. You must preview your comment before submitting it.