Well, it is an ordinary discussion here. I ask questions which sometimes make IT Professionals or Gurus react in a way that instead of answering the questions they show their reactions about the World Security.

I often get responses from people who first say: "Are you sure? You want your network to be exposed to the outside world?" Blah! Blah!

I am not experimenting on a Production Server of NASA or any Security Concern Department.

Friends, there is no harm in experimenting on your personal computer or on a test computer which is isolated from the production environment.

Look at hackers! What do they do? If they don't know how security is breached then how would they come up with security measures?

If my question reads... "How to let any user perform Administrative Tasks on a Linux System irrespective of his/her privileges on that particular system?" then I would not get the right answers in the first place. They will say... "You are letting everyone destroy your system... are you sure you want to do that?"

My question is: Why should we restrict ourselves from experimenting even if it sounds weird to other people?

I give you an example where it is desirable to let an unprivileged user perform certain tasks.

You want to know if there are any employees in your office who are storing videos in their home directory and filling up the disk space to a great amount. You have a department called "Command Center or Data Center Operations or Help Desk" call it whatever you would, whose work is to monitor such activities, and you create an account "monitor" for them to monitor such activities but they are not able to do them:



Would you like to give them root password to perform it? Of course not! So, you create a script that searches all users's home directories for video files and reports it. You want the user "monitor" to be able to run that script without any problem / error such as "Permission denied".

Sounds like fun experimenting. Wile this doesn't answer your questions....my buddy did some security testing using this scenario:
- between his hardware firewall/dsl router and the dsl modem he placed:
- network hub (not a switch but a dumb hub)
- a test PC with 2 NIC cards, one NIC connected via cat5 twisted pair to the dumb hub with one exception:
- the cat5 cable from NIC to hub is custom with one pair missing, allowing only inbound traffic
- second NIC connected to the firewall/dslrouter
- test PC running snort and iptables firewall configured for routing certain traffic

And he used snort to view the kind of crazy traffic going by on the internet. His snort reports/logs were really interesting. They were an eye opener to all the shiat on the net.

The method he used protected his internal network was as much as possible (theoretically).

You really need to plan and think this through however. Creating a honeypot is not easy and it could become host to any number of nefarious applications such as:
- spam relay
- part of a botnet
- anonymous tor server
- ?

....and many more. Once that happens you are essentially contributing to some quite evil stuff....it's irresponsible on your part if anything like that happens with or without your knowledge and it continues with or without your detection.

Hope my point there comes across. I'm not trying to be holier-than-thou but this is worth seriously considering and you shouldn't do anything w/o a plan.

Since you're saying you don't want the "blah blah" answers, then don't ask the question, and do what you want. If you ask for someones opinion, you'll get it. If you're going to ignore advice and do what you want anyway, then why waste everyones time asking the question in the first place?
Wrong. If you have a "Command Center", that's where your systems admins will be. They'll have rights to do ANYTHING on ANY systems...that's their JOB. Monitoring scripts are a different matter, and (if you write/implement them correctly), can run as any user, as root, or whatever, and work correctly. Put them in CRON, schedule them to monitor your systems, and report the results to your admins, so THEY can make the decisions.

In your example, you're using video files as a 'bad' thing. What if that person is in advertising or marketing?? Those could be work-related commercials, productions, etc., that you'll then go delete, because they're video files. Report it, then let the admins make decisions.

You say "I ask questions which sometimes make IT Professionals or Gurus react in a way that instead of answering the questions they show their reactions about the World Security."...which goes to show a lack of concern about a very real problem. You THINK that you're safe, but you're not thinking about things well. Sure, your machines at that IP address are just 'test' boxes now...but are you going to reuse that address later? Same connection? Same provider?? All you've done is advertise the fact that there are systems on that connection, and trust me, they'll be watched. And unless you're going to totally erase/format ALL the systems on that test net afterwards, you're going to risk your production network if you plug ANY of them in later.

Why do you think professionals react that way, just for fun??? It should occur to you that its for a reason, and that you ignore it at your own risk.

Important thing noted:

Thanks!

By the way, I do not experiment crazy things at office. I do them at home on my PC and on http://linuxzoo.net/ which lets us use a UML which is safe to test (possibly) anything on it.

About the Videos example, I do not really need to delete them. That is just an example. In my current project, the Admin team sits in a different remote location. And, yes, I would love to bug them when there was something only they could do.

One thing which may look a matter of "security concern" to somebody, it may look a fun to a hacker to do.


I tell you one example- a real example which an interviewer at a Navy Defense Project asked me:

Design a Web Interface that lets anybody change the network settings and restarts the network service when the new settings are submitted.

I did not dare to ask him: "Are you really going to do that in your Defense Project?"

There were some more questions like that one. I didn't know the exact answer so I was not selected. That is why I am doing crazy things to see what we can and cannot do on a Linux box.

The capability of knowing what you can do and what you can't plays an important role when you are going to do something really serious.

And one more thing, I am not upset when they say "Blah! Blah!" I rather expect a view that I can think over. Like how fuubar2003 has presented an example from his friend's experiment.

Have a nice time, sir!

The answer they were probably looking for was "I wouldn't design or implement something that's so unsafe. It would put the organization at risk."
There's nothing wrong with curiosity and experimentation, but the way you presented your original post seemed to suggest that you didn't CARE what anyone said, you were going to do what you wanted, and you couldn't understand why people reacted the way they did. You also really didn't spell out the parameters of your test environment, where you were doing it, or what your goals were, so it's hard for anyone to get any meaningful basis for an opinion from it.

And again....if you put up a 'test' network at home, you are advertising your IP address as being active, and having potential vulnerabilities. You're attracting attention to yourself, with home-grade/easily broken hardware.

Hi,

I'll add to this slurry!

When one is independently experimenting then safeguards should be stronger. Most good houses have security that will prevent damage by an experimenter like the OP has suggested.

By setting up things as the OP has suggested then opportunity is available and generally taken advantage of by knowledgeable people to use that same setup to do damage else where. Guess who will be responsible for said damage? One guess now! Yes, that same person who wanted to experiment and learn how to do or prevent the same actions his/her system(s) have accomplished.

Nothing saying a LAN without Internet can be used to experiment but when you put that network on the Internet you had better be protected thus insulated and aware of what's going on.

Experiment responsibly!

Totally agreed, Guru!

People answer question based on what they know and how they best feel they can help your issue. The two may be in conflict with what you believe you want to hear.

One should consider that once a worm or virus in in your system it may be much harder to get rid of than imagined. It may be on flash drives and disks and in routers and who knows where else.

At some point you may want to save your Kylie Minogue can't get you out of my head video.

I think sudo will be able to help with the above issues.

As for experimenting, go right ahead ... but do be weary that you at least risk the test machine itself, I'm sure there are ways to cause physical harm to it from within.