Using sudo to Keep Admins Honest? sudon't!
Toby Kelsey
toby_kelsey at ntlworld.com
Sat Nov 4 12:44:05 GMT 2006
Tristan Wibberley wrote:
> According to Matt Zimmerman:
>
> "You should consider a user with unlimited sudo privileges to be
> equivalent to root from a security perspective."
That's unnecessarily absolutist. The sudo password provides a real barrier.
> So the default user in Ubuntu *is* root, except that sudo just "prompts
> for the user's password as a secondary check which prevents certain
> casual attacks (for example, leaving a session open without locking
> the screen)." - again according to Matt Zimmerman
So any user 'is' root, you just need the password for 'su'. In fact the login
prompt 'is' root as well by that argument.
> It is a *huge* misconception that Ubuntu does not run as root by
> default, because for all security related purposes... it does. It is
> trivial to escalate privileges once you have compromised somebody's account.
>
> You should *never* use your default account for day-to-day usage.
That's silly. So you should have a second account, which you log in from to
your first account, which you run sudo from? But then the second account is
equivalent to root because it is trivial to escalate privileges, so you need
a third account from which you log into your second account, but then ...
The reality is that the default user must have a way of performing
administrative functions. That requires escalating privileges. If an attacker
cannot crack the system directly then they need to compromise the user account,
and trick the user into giving them extra privileges. Using sudo can make that
harder.
Toby
More information about the sounder
mailing list