User avatar
bensimmo
Posts: 5446
Joined: Sun Dec 28, 2014 3:02 pm
Location: East Yorkshire

Re: Suggestion: remove NOPASSWD for pi

Sat Sep 11, 2021 2:16 pm

epoch1970 wrote:
Sat Sep 11, 2021 1:13 pm
dickon wrote:
Fri Sep 10, 2021 10:49 am
Well, FWIW, I got bitten by this same thing a few days ago: managed to assign a real-world IP address to a Pi that's been happily on a 1918-only network for months, and it got turned into a scanning bot in a matter of hours.
You were bitten because you exposed a machine configured with the well-know "pi" user and a weak (or default, well known) password.

Having to repeat your own password when running sudo is something else.
For me I think making password mandatory for pi as a sudoer will push beginners into using short passwords, and include it as clear text in scripts. I vote Nay.
As someone who has to reset passwords on Pi's, (they auto log in), it's helpful never to have to put a password in for root/sudo. Pesky children ;-)

Just provide it as an option.

User avatar
dickon
Posts: 2012
Joined: Sun Dec 09, 2012 3:54 pm
Location: Home, in Towcester

Re: Suggestion: remove NOPASSWD for pi

Sat Sep 11, 2021 2:59 pm

epoch1970 wrote:
Sat Sep 11, 2021 1:13 pm
dickon wrote:
Fri Sep 10, 2021 10:49 am
Well, FWIW, I got bitten by this same thing a few days ago: managed to assign a real-world IP address to a Pi that's been happily on a 1918-only network for months, and it got turned into a scanning bot in a matter of hours.
You were bitten because you exposed a machine configured with the well-know "pi" user and a weak (or default, well known) password.
Default.

I only ever login to it as root; I'd completely forgotten the Pi user existed. There was something niggling me at the back of my mind when I realised it'd been assigned one of my /28 rather than the usual 1918 range on that network, but clearly not enough to make me deal with it. Ho hum. No (real) harm done.
As it is apparently board policy to disallow any criticism of anything, as it appears to criticise something is to criticise all the users of that something, I will no longer be commenting in threads which are not directly relevant to my uses of the Pi.

epoch1970
Posts: 6951
Joined: Thu May 05, 2016 9:33 am
Location: France

Re: Suggestion: remove NOPASSWD for pi

Sat Sep 11, 2021 3:10 pm

HermannSW wrote:
Fri Sep 10, 2021 11:11 pm
I agree with Dougie, first make sure that you don't suffer sudoitis.
In case of a real need to "run as root", setuid can be used (contains a valid scenario):
https://en.wikipedia.org/wiki/Setuid#SUID
Setuid only works with binaries, not scripts. Sudo works with either.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

GlowInTheDark
Posts: 1974
Joined: Sat Nov 09, 2019 12:14 pm

Re: Suggestion: remove NOPASSWD for pi

Sat Sep 11, 2021 3:21 pm

Since NOPASSWD makes the system easier to use for new users
FTFY
Poster of inconvenient truths.

Linux zealot and proud of it.

"nokcid" wants to date me.

ejolson
Posts: 8117
Joined: Tue Mar 18, 2014 11:47 am

Re: Suggestion: remove NOPASSWD for pi

Sat Sep 11, 2021 3:40 pm

m4r35n357 wrote:
Sat Sep 11, 2021 10:13 am
ejolson wrote:
Sat Sep 11, 2021 10:02 am

Is that's what's going on?
Nope.
ejolson wrote:
Sat Sep 11, 2021 10:02 am
It's also worth noting that a more secure arrangement would be a pull-type setup where the backup server logs into the Pi to fetch the files for the mirror operation rather than the other way around.
If you are seriously giving me (unrequested) advice I would expect more engagement than that, like understanding the script ;)

The server does not know the list of clients, that is a feature!

Each client machine has its own backup list.

Can you guarantee that your "pull-type" setup will not need sudo?

Basically, these scripts have been working reliably for decades, and it will take more than casual forum comments to make me reassess them!
Yes, I read your script and gave my peanut gallery assessment. Whether push or pull is used to transfer the files depends on the trust relationship between your backup server and the other machines. From a practical point of view, it is usually more difficult to ensure the computer used for web browsing, email and other tasks is secure compared to a system used only to store backups. On the other hand, if the backup server is a converged appliance like a QNAP NAS, all bets are off.

One of the reasons people need to restore from backups is because of cryptolocker type malware. If the machine that needs to be restored also had remote access to the backup server, chances are the malware has found and destroyed the backups. With a pull setup, the machine that needs a backup restored never had sufficient permission to infect the backup server.

Another reason people need backups is because of hardware failure. Irritatingly enough, hardware failure is quite likely to happen during the intense disk activity that occurs during the backup itself. As the script is only mirroring a drive rather than backing it up, it's possible entire directories get overwritten or deleted from the mirror as a result of hardware failure. The script will also overwrite good data with files that have been silently corrupted.

To see whether your backup works, try accidentally deleting a file, running the backup script and the next day restoring the file that was deleted. If this is not possible, it's not much of a backup.

If you decide to stick with what you have, that's up to you. My point here is not to convince but to point out some aspects of backups that seem not addressed by the script you posted. An easy improvement is making snapshots of BonsaiBackup on the NAS. A simple scheme suitable for non-enterprise use would be to retain one each of a weekly, monthly and daily snapshot.

pidd
Posts: 2527
Joined: Fri May 29, 2020 8:29 pm
Location: Wirral, UK
Contact: Website

Re: Suggestion: remove NOPASSWD for pi

Sat Sep 11, 2021 5:37 pm

Making a Pi an internet server shouldn't make password-free sudo from user pi a risk unless you do some pretty non-standard stuff. Servers don't normally run as pi, they run as www-data for exactly that reason, and normally the directories the server has access to are highly restricted.

Obviously opening up ssh, vnc etc to the internet is a major security risk and is something I would avoid at all costs, if you needed to trigger a script remotely I would do it through internet server software that purely triggers a script and is non-interactive user-wise so there is no question of logging in as pi or sudo-ing..

GlowInTheDark
Posts: 1974
Joined: Sat Nov 09, 2019 12:14 pm

Re: Suggestion: remove NOPASSWD for pi

Sat Sep 11, 2021 5:40 pm

Obviously opening up ssh, vnc etc to the internet is a major security risk and is something I would avoid at all costs,
Except that we frequently gets posts here of the "I want to be able to access my Pi from the Internet (via ssh or vnc or ...); how do I do it?" variety.

And the answer is usually to get some third party company involved (like free dns or whatever/whatever) and that just introduces a few more points of security exposure to the mix.
Poster of inconvenient truths.

Linux zealot and proud of it.

"nokcid" wants to date me.

User avatar
dickon
Posts: 2012
Joined: Sun Dec 09, 2012 3:54 pm
Location: Home, in Towcester

Re: Suggestion: remove NOPASSWD for pi

Sat Sep 11, 2021 5:44 pm

pidd wrote:
Sat Sep 11, 2021 5:37 pm
Making a Pi an internet server shouldn't make password-free sudo from user pi a risk unless you do some pretty non-standard stuff.
Right up until the point that there's a default account with a well-known default password, anyway. Not that anyone would be sil... Oh.
As it is apparently board policy to disallow any criticism of anything, as it appears to criticise something is to criticise all the users of that something, I will no longer be commenting in threads which are not directly relevant to my uses of the Pi.

m4r35n357
Posts: 124
Joined: Fri Jul 06, 2012 4:31 pm
Location: UK

Re: Suggestion: remove NOPASSWD for pi

Sun Sep 12, 2021 8:54 am

ejolson wrote:
Sat Sep 11, 2021 3:40 pm
If you decide to stick with what you have, that's up to you. My point here is not to convince but to point out some aspects of backups that seem not addressed by the script you posted. An easy improvement is making snapshots of BonsaiBackup on the NAS. A simple scheme suitable for non-enterprise use would be to retain one each of a weekly, monthly and daily snapshot.
I guess when you say "backup" you are talking about something transactional . . . ?

I guess it is not a backup then: I want deleted files to be removed rather than backed up ;) If I have an accident I get until bedtime to realize my mistake and retrieve it from the "server". Incidentally the "server" is a Pi4; the tree used to be on a QNAP before it broke!

All this is on a home network, with all machines well within my iron grip! (that is an Angband reference for any trainspotters out there!)

However, coming back on topic, the issue here is not whether I have backups or a mirror. It is the need for passwordless sudo to achieve the end result.

@DougieLawson gave me a bare systemd launcher earlier, but nothing regarding how my script could work without NOPASSWD, which was the challenge.

epoch1970
Posts: 6951
Joined: Thu May 05, 2016 9:33 am
Location: France

Re: Suggestion: remove NOPASSWD for pi

Sun Sep 12, 2021 10:00 am

Systemd runs units as root, by default. In this case you don’t need sudo at all.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

m4r35n357
Posts: 124
Joined: Fri Jul 06, 2012 4:31 pm
Location: UK

Re: Suggestion: remove NOPASSWD for pi

Sun Sep 12, 2021 10:12 am

epoch1970 wrote:
Sun Sep 12, 2021 10:00 am
Systemd runs units as root, by default. In this case you don’t need sudo at all.
Simpler to just use root's crontab or the system crontab ;)

I guess the moral of all this is either use NOPASSWD, or just use root!

m4r35n357
Posts: 124
Joined: Fri Jul 06, 2012 4:31 pm
Location: UK

Re: Suggestion: remove NOPASSWD for pi

Sun Sep 12, 2021 10:25 am

ejolson wrote:
Sat Sep 11, 2021 3:40 pm

If you decide to stick with what you have, that's up to you. My point here is not to convince but to point out some aspects of backups that seem not addressed by the script you posted. An easy improvement is making snapshots of BonsaiBackup on the NAS. A simple scheme suitable for non-enterprise use would be to retain one each of a weekly, monthly and daily snapshot.
Just realized there is a sense in which this is sort of a backup. I can "checkpoint" by simply moving the backup directory and creating a new one (not copy-on-write of course). The machine I am typing this on is a new Debian Bullseye installation. The previous Ubuntu OS is therefore effectively archived. ;) Anyway this is still OT so ignore at will!

User avatar
DougieLawson
Posts: 41687
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Suggestion: remove NOPASSWD for pi

Sun Sep 12, 2021 4:06 pm

epoch1970 wrote:
Sun Sep 12, 2021 10:00 am
Systemd runs units as root, by default. In this case you don’t need sudo at all.
But as usual it doesn't have to. Override the userid & group when things don't need root and make your system more secure.
Languages using left-hand whitespace for syntax are ridiculous

DMs sent on Twitter/LinkedIn will be answered next month.
Fake doctors - are all on my foes list.

The use of crystal balls and mind reading is prohibited.

bnesheim
Posts: 4
Joined: Tue Sep 14, 2021 9:52 am

Re: Suggestion: remove NOPASSWD for pi

Tue Sep 14, 2021 10:09 am

jools72 wrote:
Fri Sep 10, 2021 10:04 am
I'm just concerned that many people keep running their systems without root password, since that's the default behaviour.
And so what?

That should really be the user choice.

lost
Posts: 36
Joined: Tue Dec 05, 2017 9:38 am

Re: Suggestion: remove NOPASSWD for pi

Tue Sep 14, 2021 1:33 pm

dickon wrote:
Sat Sep 11, 2021 5:44 pm
Right up until the point that there's a default account with a well-known default password
First action done after installing a PI is creating another user (with strong password), updating secondary groups equal to user pi ones then making this new user sudoer (edit /etc/sudoers, prefer using command "sudo visudo" that'll do syntax check, getting inspired by pi user setup).

After that, I change to new user and pi account is locked & never used again.
sudo passwd -l pi

Then I can go ahead with full system installation, enabling ssh (with fail2ban, now combined with some port knocking to only open ssh port on demand) then forwarding port on router side.... I also enable root account (only local access, no ssh for instance) as this sometimes prove useful when a user account is screwed.

Those who already had a ssh sever accessible from the outside & sometimes have a look at logs knows all default users (pi, but also many ones from network devices, IP cams etc...) are targeted very often: To login you must know a user+pass. Using default user name really makes it easier to break in: That's 50% of needed information (even is password should be more tricky to guess), 100% if default password was not changed.

You can even build a machine with ssh external access and sshd configured to log full login info for fun: In a few days, you'll have a dictionary of user/login used by brute-force scripts!

Problem is if you're hacked by someone using your access as a relay for really nasty business. Risk is having those we call in France "breakfast friends" breaking in your home like wild boars at 6h00 a.m. (legal time in most circumstances, terrorism may bring police anytime)!

User avatar
dickon
Posts: 2012
Joined: Sun Dec 09, 2012 3:54 pm
Location: Home, in Towcester

Re: Suggestion: remove NOPASSWD for pi

Tue Sep 14, 2021 2:30 pm

Yeah, you see that's not my normal workflow. I usually do the equivalent of:

Code: Select all

zfs snapshot rt0/support/raspbian-buster@newpiroot
zfs clone rt0/support/raspbian-buster@newpiroot rt0/support/newpiroot
ln -s /var/local/nfsroot/newpiroot/boot /tftpboot/newpiroot
ln -s newpiroot /tftpboot/$newpiserial
chroot /var/local/nfsroot/newpiroot
vim /etc/hostname
[...]
and boot the thing. Saves an awful lot of trouble.

Thing is, I've just moved in with my girlfriend, and the specific Pi I'm talking about now needed to be on her network as it can't see 'my' network via the 802.3. So I did the usual burn-a-uSD thing and chrooted for the bits I needed to change, but forgot all about the Pi user and its passwordless sudo. So when I was playing about with a channel 149 5GHz AP on another Pi 4 that is on my network, I thought I'd try to connect this Pi 4 to it. Worked nicely, but it acquired a real IP address and that was that. It lasted less than 12h before a bot got it.

My fault entirely. But I do worry that if someone like me, with an unreasonably complicated network setup and >25 years of Unix systems administration can get caught out, then how many newbies are?
As it is apparently board policy to disallow any criticism of anything, as it appears to criticise something is to criticise all the users of that something, I will no longer be commenting in threads which are not directly relevant to my uses of the Pi.

ejolson
Posts: 8117
Joined: Tue Mar 18, 2014 11:47 am

Re: Suggestion: remove NOPASSWD for pi

Tue Sep 14, 2021 2:48 pm

dickon wrote:
Tue Sep 14, 2021 2:30 pm
Yeah, you see that's not my normal workflow. I usually do the equivalent of:

Code: Select all

zfs snapshot rt0/support/raspbian-buster@newpiroot
zfs clone rt0/support/raspbian-buster@newpiroot rt0/support/newpiroot
ln -s /var/local/nfsroot/newpiroot/boot /tftpboot/newpiroot
ln -s newpiroot /tftpboot/$newpiserial
chroot /var/local/nfsroot/newpiroot
vim /etc/hostname
[...]
and boot the thing. Saves an awful lot of trouble.

Thing is, I've just moved in with my girlfriend, and the specific Pi I'm talking about now needed to be on her network as it can't see 'my' network via the 802.3. So I did the usual burn-a-uSD thing and chrooted for the bits I needed to change, but forgot all about the Pi user and its passwordless sudo. So when I was playing about with a channel 149 5GHz AP on another Pi 4 that is on my network, I thought I'd try to connect this Pi 4 to it. Worked nicely, but it acquired a real IP address and that was that. It lasted less than 12h before a bot got it.

My fault entirely. But I do worry that if someone like me, with an unreasonably complicated network setup and >25 years of Unix systems administration can get caught out, then how many newbies are?
Given how important security is, my opinion is it would be bad if the official OS gets a reputation of not following good practices.

User avatar
HermannSW
Posts: 4541
Joined: Fri Jul 22, 2016 9:09 pm
Location: Eberbach, Germany
Contact: Website Twitter YouTube

Re: Suggestion: remove NOPASSWD for pi

Tue Sep 14, 2021 8:44 pm

ejolson wrote:
Tue Sep 14, 2021 2:48 pm
Given how important security is, my opinion is it would be bad if the official OS gets a reputation of not following good practices.
The last time I installed Raspberry Pi 32bit OS from scratch, login with user pi was the default.
And after first login Pi warned me that I should change default password.
After doing that, what exactly do you think is missing?
https://stamm-wilbrandt.de/2wheel_balancing_robot
https://stamm-wilbrandt.de/en#raspcatbot
https://github.com/Hermann-SW/Raspberry_v1_camera_global_external_shutter
https://github.com/Hermann-SW/raspiraw
https://stamm-wilbrandt.de/en/Raspberry_camera.html

User avatar
kerry_s
Posts: 2294
Joined: Thu Jan 30, 2020 7:14 pm

Re: Suggestion: remove NOPASSWD for pi

Tue Sep 14, 2021 9:31 pm

Given how important security is, my opinion is it would be bad if the official OS gets a reputation of not following good practices.
personally, i think security is the users responsibility. only they can take into account what there doing, if your doing/going to shady places on the net, then you should up your security.

i find the standard settings normal, when you use your phone or tablet do you think it's any more secure.

it doesn't matter nopasswd or not, they still need to crack your password & that's on you. use a decent password, only use it once and change it every now and then, blame yourself if your to lazy to do common since things. :lol:

Return to “Raspberry Pi OS”