The truth about #sudo: https://security.stackexchange.com/questions/232924/is-sudo-almost-useless

> Sudo has no real security purpose against a malicious third-party. [...]

> In the past I believed it was actually a security control to prevent escalation of privilege and make attacks harder [...], but that's actually false. [...]

> The only purpose of sudo is to protect you from yourself, that is, to avoid messing up your system by mistake

One of sudo's co-author also gives his opinion, go check it out!

#linux #security #cybersecurity

🔧 Otimize Sua Experiência no Linux com 3 Ajustes de Sudo! 🐧🔑

Descubra como pequenos ajustes no uso do comando sudo podem fazer uma grande diferença na administração do seu sistema Linux. Aumente sua eficiência e segurança com essas dicas práticas!

👉 Saiba mais no blog: https://nova.escolalinux.com.br/blog/3-ajustes-para-se-fazer-com-sudo-no-linux?utm_source=dlvr.it&utm_medium=mastodon

#Linux #Sudo #DicasLinux #Segurança #Administração

While #NixOS should not be affected by #CopyFail as it uses recent kernels, here are additional fixes you can apply:

Disabling setuid does not mitigate it, but reduces the attack surfaces overall significantly.

Instead of #sudo, #su, #pkexec and other #setuid binaries you can use #run0 or a dedicated root account.

I have disabled setuid for a bunch of binaries I don't need, they still work when ran as root, with run0 or #sudo-rs.

```nix
boot.blacklistedKernelModules = [
"algif_aead"
];

security.sudo.enable = false;

security.wrappers = {
su.enable = false;
pkexec.enable = false;

# example setuid binary
chsh = {
source = "${pkgs.shadow}/bin/chsh";
setuid = lib.mkForce false;
owner = "root";
group = "root";
};
};
```

3 Sudo Commands That Will Impress Your Terminal (and Your Cat)

https://watch.linuxrenaissance.com/w/btNeoRxFp33DMYQRGSwv3W

Ubuntu Is Replacing SUDO. Should You?

https://watch.linuxrenaissance.com/w/v2dWpZzWtYHQ6NrnMN8Zpz

Думаем графами с IPAHound

Всем привет, меня зовут Михаил Сухов, я участник команды PT SWARM. Нам в команде все чаще встречается инфраструктура, построенная на базе альтернативных реализаций службы каталога Microsoft Active Directory. Одной из таких реализаций, заслуженно получившей большое распространение является FreeIPA. В ходе работы с FreeIPA стало очевидно, что можно изучать еще и архитектурные особенности, которые сильно отличаются от AD. Так появился IPAHound — наш аналог BloodHound для FreeIPA. За основу был взят проект BloodHound Legacy с поддержкой PKI. Мы неоднократно использовали IPAHound в своих проектах по поиску уязвимостей. В этой статье я расскажу о нашем инструменте. Также посмотрим на различные способы анализа связей, облегчающие продвижение в FreeIPA.

https://habr.com/ru/companies/pt/articles/1028412/

#ipahound #freeipa #ldap #sudo #selinux #kerberos #pentest #ald pro #bloodhound

Title: P2: Doas instead of sudo [2025-05-04 Sun]

♲ #dailyreport #linux #administration #permissions #secops #sudo #doas #network #bash #proc

Title: P1: Doas instead of sudo [2025-05-04 Sun]

permit setenv { WAYLAND_DISPLAY XDG_RUNTIME_DIR } nopass g
as ff
doas -u ff firefox
-----------------------------------------------------
With help of AI I have written a simple bash scrippt that
output average network bandwidth by reading directly
from /proc/net/dev

I think 70 lines is better than some special app with
writing output parser for it. #dailyreport #linux #administration #permissions #secops #sudo #doas #network #bash #proc