[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #27278 [Webpages/Website]: Bad Instruction Page



#27278: Bad Instruction Page
------------------------------+------------------------
 Reporter:  TormanToo         |          Owner:  (none)
     Type:  defect            |         Status:  new
 Priority:  Very High         |      Milestone:
Component:  Webpages/Website  |        Version:
 Severity:  Normal            |     Resolution:
 Keywords:                    |  Actual Points:
Parent ID:                    |         Points:
 Reviewer:                    |        Sponsor:
------------------------------+------------------------

Comment (by traumschule):

 Hi TormanToo,

 > Following your new instructions, everything worked up to the keys. Then
 I got the same errors as before.
 When reporting errors please always paste the command you executed along
 with the whole output. Developers can only help if a user tells the
 expected outcome and what happened instead.

 If {{{gpg --version}}} still shows 1.4, use gpg2 instead. Otherwise you
 need to add the --keyserver option (see at the head of the updated guide).

 > I am using Xubuntu 16.04.
 That's fine.

 > Why not just suggest the use of sudo by itself?
 sudo is a security risk because it allows privilege escalation from user
 to root. For example if you used sudo in the last minutes and execute
 another (unsafe) command on the same shell, it can take advantage of the
 left-over privilege. It's like leaving open a root console. Also if
 someone gets the password of a user that has full sudo privileges, then
 they can become root and take over your system.
 [https://dmitry.khlebnikov.net/2015/07/should-we-use-sudo-for-day-to-
 day.html More here]
 Another risk on systems using Xorg is that any running application
 eavesdrop on the keys you enter.
 Hence there are systems without sudo installed and the guide would not
 work for them. Also note that every command you execute with sudo is
 logged in /var/log/auth.log.
 The better approach is to create ssh keys with {{{ssh-keygen}}} and add
 one's public key in ~/.ssh/id_rsa.pub to /root/.ssh/authorized_keys.
 However I know there are different philosophies and Ubuntu promotes sudo
 quite much and if you are fine using sudo just replace '#' in the guide
 with sudo.

 Good luck!

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27278#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs