Using sudo to Keep Admins Honest? sudon't!

Tristan Wibberley maihem at maihem.org
Sat Nov 4 12:57:38 GMT 2006 

Toby Kelsey wrote:
> Tristan Wibberley wrote:
> 
>> According to Matt Zimmerman:
>>
>> "You should consider a user with unlimited sudo privileges to be 
>> equivalent to root from a security perspective."
> 
> That's unnecessarily absolutist. The sudo password provides a real barrier.

It provides a real barrier against somebody who doesn't know how to get 
around it, who is just going to try to guess your password. But if you 
know better, you can get around it quite easily.

>> So the default user in Ubuntu *is* root, except that sudo just "prompts 
>> for the user's password as a secondary check which prevents certain 
>> casual attacks (for example, leaving a session open without locking
>> the screen)." - again according to Matt Zimmerman
> 
> So any user 'is' root, you just need the password for 'su'. In fact the login
> prompt 'is' root as well by that argument.

su has some problems too, yes.

The login prompt is indeed root, but since it doesn't have a shell or 
any complicated programs that can be exploited to set up password 
sniffing it is secure. In sudo's case you can often do worse than try to 
sniff the password (don't ever use "sudo -s", use "sudo -i" instead).


>> It is a *huge* misconception that Ubuntu does not run as root by 
>> default, because for all security related purposes... it does. It is 
>> trivial to escalate privileges once you have compromised somebody's account.
>>
>> You should *never* use your default account for day-to-day usage. 
> 
> That's silly.  So you should have a second account, which you log in from to
> your first account, which you run sudo from?  But then the second account is
> equivalent to root because it is trivial to escalate privileges, so you need
> a third account from which you log into your second account, but then ...

No, you should log out of the second account, and then in to the first 
account giving a securable route (via gdm, bugs notwithstanding).

> The reality is that the default user must have a way of performing 
> administrative functions.  That requires escalating privileges.  If an attacker 
> cannot crack the system directly then they need to compromise the user account, 
> and trick the user into giving them extra privileges.  Using sudo can make that
> harder.

Sudo doesn't make that terribly hard given most users knowledge (I could 
avoid all but the most sophisticated attacker, but even then, an 
attacker has a reasonable chance to get through - and I don't take the 
precautions necessary since it would take 5 minutes for each sudo command).

-- 
Tristan Wibberley - "it" is the preferred noun of an abated intellect.

These opinions are my own, and do not reflect those of my employer.

More information about the sounder mailing list