Re: Apple recommending anti-virus software for Macs?

#
# Protecting yerself from an errant 'rm'
#

Wes Groleau <groleau+news@xxxxxxxxxxxxx> wrote:
Troubled Tony wrote:
> To be ultra-safe with the 'rm' command, make it an 'ls' command
> first, check that's the correct target, then do an up-arrow to
> get the commandline again, type a Ctl/A to get to the beginning
> of the line, Ctl/D's to delete the 'ls', then type '\rm -rf' to
> execute the 'rm' and bypass the interactive questioning of 'rm -i'.

Easier:

ls xy*z
rm !$

If I have enough sense to do the 'ls' then I don't need the -i

I have to chuckle at the qualifier 'If I have enough sense.'

As one who will sometimes make a typo, and has blown hitting '!$'
correctly, I will stick with my own medicine on this one. Usually
I'm deleting one file, in which case I do exectly what you showed,
But I'm running with 'rm -i' and the 'y' prompt gives me one last
chance. Finder will ask for confirmation of emptying the trash, no
different.


Warren Oates <warren.oates@xxxxxxxxx> wrote:
Troubled Tony <nonexistent@xxxxxxxxxxx> wrote:

> An experienced admin aliases 'rm' to 'rm -i' in both his user
> and root accounts.

Not a bad idea for root, It would drive me nuts in my user account.

I dunno, you might consider it. All you have to do to bypass the alias
is tap the '\' key. That is, '\rm'. The 'r' is "escaped", but it didn't
have a special meaning, like say "*". However as a side-effect, the
'rm' alias is not looked up and expanded.

Warren Oates <warren.oates@xxxxxxxxx> wrote:
There's an alias you can set up in the c shell, creates a "trash"
folder. I've never got it working with Bash.

alias del 'mv \!* ~/trash_dir'

BASH might be born again, but it still has sh functions.

prompt> echo $SHELL
/bin/bash
prompt> bb() { echo "$* ZOT"; }
prompt> bb 34543
34543 ZOT
prompt> bb ~
/Users/user ZOT

I use tcsh for interactivity, but I script in /bin/sh. Bourne Shell.



#
# Mr. Jolly's advice to use a non-admin account
#

Wes Groleau <groleau+news@xxxxxxxxxxxxx> wrote:
Troubled Tony wrote:
> What's the difference between the two accounts if you manage to
> install in your user malware that was recording your keystrokes?

The difference is that one account is not able to install that.

Well, 'install' can simply mean downloading something into your default
downloads directory and executing it. No need for system-wide installation.
I accidentally used wording that backs up this point: "install in your user".

And yes, the non-admin account _could_ do a system-wide installation. It
would happen the same way as for an admin account! A GUI-wrapped install
triggers the 'login with admin credentials so I can execute as root'
standard popup window. The non-admin user types in an admin name and
the admin's passwd.

Mr. Jolly's point was to use the least level of privilege necessary.
I see no value added in using an admin and non-admin account for
yourself. In Apple Darwin Unix, being in group 'admin' (type 'id')
means you can become root. This is both in the form of using 'sudo',
as well as when the GUI prompt for the admin credentials occurs.
Historically, on systems that used a group entry to limit which
users may become root, the name was 'wheel.'

Both accounts can equally install files.




#
# Another tool for executing something as 'root'
#

billy@xxxxxxx wrote:
Troubled Tony <nonexistent@xxxxxxxxxxx> writes:

> Sometimes Finder won't do something because of
> permissions, and fails to ask for the admin passwd
> or fails even when it does ask and you give it.

Here's a GUI tool to run something as root that works
under OS 10.3.9, will likely work on OS 10.4.11, and I
don't know about OS 10.5 -

http://personalpages.tds.net/~brian_hill/pseudo.html

Well, ugh, I guess some people would use it, albeit it
hopes you'll live up to its $15 shareware request.

$15 to execute something as root?

# Pseudo is a drag-and-drop application that allows you to
# launch other applications in the OSX Desktop as the System
# Administrator or 'root'.

Oh, I was going to ask how I can invoke a program and give it
commandline args or shell redirection, but it's not meant for
that. One could create a shell script with the args/redirection,
but that's not something a systems administrator does just to
drop it on a GUI.

I recently needed to run KeyChain Access as root, it would not
accept the normal admin credentials in the popup window.

So I typed 'su', type the password, ran it from its /Apps pathing,
typed a Ctl/D to exit the root prompt.

That I type an EOF is a trivial difference versus 'sudo' exiting
after executing the command. 'sudo' was never designed as a tool
for root users to execute one command as root. I've already
posted the details in this thread, in book form. ;-)



#
# To 'su' or to 'sudo'
#

I have no idea why anyone might be enamored with 'sudo' for
executing a command as root. You can always preceed the command
with 'exec ' to have it exit after one command (back to your
user shell prompt), and if you made a one character alias for
'exec' then one is down to arguing which is a character or
two less typing. I could even make an alias for 'sud' that
uses 'su' and returns after one command and is one character
shorter to invoke than 'sudo'. The whole thing is of no importance.
If you like 'sudo', use that instead.


Warren Oates <warren.oates@xxxxxxxxx> wrote:
Troubled Tony <nonexistent@xxxxxxxxxxx> wrote:

> That's running as root, dude.

Well, no it's not.

sudo id
Password:
uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),8(procview),29(certusers),3(sys),9(procmod),4(tty),101(com.apple.sharepoint.group.1),5(operator),80(admin),102(com.apple.access_ssh-disabled),20(staff)

Yes, it is.

A less terse 20-questions type post like Tom made is of
more use to the group.

Tom Harrington <tph@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Troubled Tony <nonexistent@xxxxxxxxxxx> wrote:

This is why the "sudo" command was invented.
>
> That's running as root, dude.

Yes, but it's not the same as using "su" to open a root shell, which was
your solution. It's root for one command as opposed to an indefinite
period of root access.

I'm sure that you'll admit there is no difference from a security
standpoint, because 'sudo' can invoke a root shell.

That also moots your claim of 'an indefinite period of root access' being
a difference.

'sudo' was designed to be a mechanism with which you could say give a
user comtrol over his cubicle farm's printer queues; to become an lpadmin
without also getting root access. It was a mechanism designed to provide
the ability to define granular access to resources, along the 'least
privileges necessary' paradigm.

Using 'sudo' to execute a root command, even if sudo provides the "service"
of returning after executing the root command, is not only not what 'sudo'
is for, it's of no added value for that.

Ever find yourself executing more than just the one 'sudo' command that
you thought would be all that's needed? Sure. The general principal 'sudo'
proponents seem to make is to get into root and get out as soon as you are
done. Fine. That doesn't make 'sudo' superior to using 'su.'

If you prefer to use it though, go ahead. But you've got no claim to say
it's better than just su'ing. It's just your preference.


Billy Y, thanks for sharing some 'sudo' config tips, some people
will zero out the "credentials" time.
.

Relevant Pages

  • Re: any way to track commands of a user logged in through ssh
    ... applies _to that command only_. ... the command they want to run with 'sudo', ... I use/run a Shell command that requires 'root' privileges...Especially ... So what do you think about creating a separate 'group' for certain ...
    (comp.os.linux.misc)
  • Re: Problems with su/sudo
    ... admin account on the command line and then sudo from there. ... Having the root account "disabled" ... the above sequence does work from an admin account in the default ...
    (comp.sys.mac.system)
  • Re: Vote for new Ubuntu Feature---Lets try it again
    ... If I sudo <command> (and am ... authorised to so that command) my privileges are upped to root (or ... you want to do several commands as root. ...
    (Ubuntu)
  • Re: Im Beaten
    ... which lists which users are allowed to user "sudo" ... then the command is run as root. ... man sudoers has some examples on how to allow an app to be ran ...
    (Ubuntu)
  • Re: Im Beaten
    ... sudo is a command that means "do as su. ... then the command is run as root. ... man sudoers has some examples on how to allow an app to be ran ...
    (Ubuntu)