JosephTSuarez.com

Category: Thoughts

  • Where’s The Sudo? The Current Portrayals and Betrayals of Permissions

    What’s Up With the Lack of Permissions Discussion?

    When discussing sudo permissions, it always seems that it is at most glazed over, but at worst completely reduced to seemingly no importance. Many posts or instructional videos will show setting up a user with sudo privileges, but not actually dig down into details like the importance of only doing the minimum permissions required. Certain use cases that go beyond the single-user personal computer need higher security, so setting up users with full sudo access that don’t need it is careless in an instructional setting, let alone careless to yourself to begin with. The way sudo is presented in most public content, it is framed as if a user either does or doesn’t have superuser privileges. Clearly, there is much more to sudo than that.

    Another case of carelessness I’ve seen is completely foregoing setting up a new user with sudo in the first place and doing every task as root. There is a time and a place where using root might be necessary, but there are many more times when setting up a user with sudo access and locking the root account is the best way to go. Root can basically go undetected in logs for any action it takes, and this is scary if someone is able to gain access to your machine. Only running as root can be seen as the equivalent of leaving all the doors in your house wide open while you’re away on vacation: Sure, someone would have to find a way to your house first (gain remote or physical access to your computer), but once they’re there, what’s stopping them from taking everything inside? This is why root-only usage is not best practice.

    Setting up users with the minimum amount of permissions needed is always the way to go, regardless of whether it’s an enterprise environment or your personal computer. There’s no better pain in a malicious actor’s backend than realizing the extent of a user’s sudo privileges is nowhere near what they need to do their damage. Think of tasks you realistically do on a daily basis, for example. This can vary widely from person to person, but let’s say the extent of your need for sudo is for package maintenance: updating, installing, and removing packages is all you realistically need to do on a daily basis in this case. So what would be the real harm in restricting your daily driver user account to only have sudo access for these functions? If that’s truly the only thing you ever need daily, then it won’t be an inconvenience, and you can have an additional account with more sudo privileges if you ever need to do more. Utilizing this method, if your user ever gets infected or compromised, you’ve effectively safeguarded your computer from further damage. Even though this is usually best practice for less knowledgeable users’ permissions, it’s not a bad idea to utilize it for yourself as well. It’s taking a Standard User and Admin User style approach to permissions, more like how you would preferably have a Windows machine.

    When setting up sudo permissions for only certain applications, you also have to watch out for the nasty ways someone can still escalate their permissions through the access they have. A common form of this is being able to execute shell commands through text editors like Vim. If you’re not careful and don’t ensure their permissions in the sudoers file include NOEXEC, they can execute commands from Vim and BOOM, they’ve escalated their permissions to the undetectable root user. This also applies if they need access to run shell scripts. Now they can’t run shell commands due to NOEXEC in their sudoers permissions, but if they have sudo permissions to run certain shell scripts while also having access to edit those scripts, you’re still in a world of hurt. All they need to do is add escalation commands into the scripts after they already have permission to run said scripts, and once again, you’ve got a huge problem. Always be aware of the nuances regarding sudo permissions, as exploits like these won’t always be an apparent side effect but will leave you no better off than you started.

    Although this was a mini rant due to seeing a high occurrence of sudo omission, I couldn’t encourage enough the inclusion of more detailed and appropriate sudo setups in creators’ content. As someone who started from no knowledge, just like everyone else, I look back on the videos and media I consumed early on and I wish I would have seen more examples of the importance of sudo and security hardening as a whole. A lot of these instructionals on how to set up a home server exposed to the internet have an amazing lack of detail regarding operating system security, considering the amount of exposure to threats it introduces. I guess if getting you hacked was secretly their plan, then it makes sense that they would make you assume no additions to sshd_config and sudoers was perfectly okay and normal…

  • Are Books In Tech Still Needed?

    In the current age with such robust resources accessible right at our finger tips, what role do books and physical media really play in the tech world? To be fair, it is hard to beat online resources not taking up physical space, having unlimited revisions without needing to buy new editions, and the best part of them all: most are free. That being said, there are still benefits to keeping books and manuals at your disposal. There’s a reason why they are still being printed and purchased, even though everything has their own digital versions for sale simultaneously.

    Here’s my latest read, with 1 billion sticky notes

    Ease of Use

    One thing that I always loved back in my Music days, was having most of my text in physical formats. Copies of textbooks, sheet music, or any other reading material was always on hand, littered with penciled in notes and alterations. The ease of being able to have something in front of you with no technology needed, was in my experience, removing obstacles from your ultimate goal: having the material, and editing whatever you wanted without wasting time. Appending sections with additional notes or markings, and removing sections altogether, was as simple as putting the graphite on the paper. Without having to worry how to configure these things on a program, and then losing your flow altogether, makes a huge difference. These items from those days are still with me today for reference (to my fiance’s frustration, since the collection is quite extensive and she doesn’t let me forget it).

    Although this was more practical as a gigging musician, and maybe not as convenient in tech since you are already by a computer, it still has it’s place. It provides a distraction free environment that can always be transferred into a more readily accessible digital format. A lot of the times specifically with sheet music, I would print it out and do my edits on that copy, and later on either scan that paper into my computer or re edit the sheet music file altogether. The pencil and paper were my literal scratch pad, and then once I was home (or had the will to do it), I would take the time to program the edits into Sibelius notation software.

    With regards to tech books, you can always make your notes in the book, and make a reference document using the books material with your editions added in. This way, not only are you going through writing it physically, but then taking the time to synthesize the book and your words into a reference for whatever it is you’re learning about. This is learning 101, because it is well studied how the processes described are tools for more effective learning, including a quicker retention of the material. Besides, let’s be real, everybody loves good documentation.

    Version Control

    Unless you are purposely copying and storing your own little library of data containing your favorite online resources, the state of online resources is they are living documents: they can be edited or completely altered at a moments notice. Now, this admittedly isn’t a huge concern, but is something you can rely on physical media for. What you have in front of you is yours, and isn’t subject to total annihilation just because someone forgot to renew their domain. You can depend on that information being there just like you remember it, as long as you don’t cripple the text with a misplaced cup of coffee (don’t as me how I know this, I’m still bitter).

    Text, whether in digital or physical form, go through changes and new editions. No one is arguing that. But when a useful paragraph regarding the BTRFS filesystem you were referencing ceases to exit, it is a pain to go through archival tools like waybackmachine just retrieve this data as you proclaim “what was the reason for this!”. With physical media, unless you completely nuke your book with coffee (again, don’t ask), it will always be a reliable source for your information. Keeping multiple editions of books, although spatially taxing, is also a good way to keep information from the older volumes that may have been phased out in the newer editions. With something as fast progressing as tech, it’s not beyond anyone to know it’s adapting rapidly and new things are replacing technologies all the time, meaning these documents need to keep up with the latest and greatest. Depending on your use case, maybe you still need the edition that isn’t completely overtaken with systemd knowledge, and the second edition still retains robust chapters on your now technologically prehistoric init system. Well lucky you, it’s sitting on your bookshelf, more than likely covered in dust.

    Downsides

    Look, it’s not always going to be the best decision to have physical media. There’s something to be said about having the text in digital formats, regardless of if you have them in physical media. Books take up space, they’re often times expensive, and most people don’t touch them after they read them through one time. This is always going to be a thing of preference; no two people are going to feel the same way. Also let’s be real, with tech, you’re not exactly talking to the right demographic about keeping things in an objectively more inconvenient format. Why have a book when a PDF is always on my computer, and I can go right to where I need once I search a keyword. Absolutely valid. If I need to take them somewhere, why have bulky books when I could just bring my laptop instead? You’re not wrong. There will always be a give and take, and this is no exception.

    Final Thoughts

    As I clearly am not unbiased on this topic, I feel having physical text is indispensable. It’s way too easy to make edits to the text, it will always be the same information without surprise alterations, and it gives your eyes a much needed break from the bright glowing screen like the one you are looking at right now (I can see they are quite bloodshot, take a break!). Using multiple tools at your disposal is a proven way to fast track your learning, so writing things down and then typing them up later are a great example of deeper learning at work. A multimedia approach is what carried me through my musical studies all those years, and is what helps me now as I navigate my travels through the world of Linux. Although these Linux technical books aren’t as cool as my physical copy of The Planets full orchestral score (you best believe that’s all penciled up!), using physical media will always be the groundwork for my studies, and always an indispensable asset to anyone’s learning toolkit.