Using sudo to Keep Admins Honest? sudon't!

Matt Zimmerman mdz at ubuntu.com
Mon Nov 6 19:45:16 GMT 2006 

On Sun, Nov 05, 2006 at 11:26:22PM +0000, Tristan Wibberley wrote:
> Matt Zimmerman wrote:
> > It's straightforward to escalate to root from
> > a user who uses 'su' and a root password as well, if you have their
> > password.  It just requires that the attacker wait until the next time the
> > user runs su.
> 
> sudo is, indeed, an improvement over su - but it only mitigates the cost 
> of root security breaches (audit trails) and doesn't do much new to 
> prevent them beyond making privilege assignment more fine grained (it is 
> cheaper to revoke privileges if you lose trust in an administrator's 
> management and use of his own account - but other than that, nothing 
> significant).

sudo fills a different need than su.  It allows a user to be granted
administrative privileges in a manner which is a good balance of security
and convenience.

> >> You should *never* use your default account for day-to-day usage.
> > 
> > Such a configuration is perfectly adequate for most desktop users.  The
> > truly paranoid should never use privilege escalation at all, and only
> > administer from a direct login on the console.
> 
> If you ask most desktop computer users whether they want to have to 
> totally wipe their systems (and take emergency precautions to protect 
> their finances) just because their child (read "administrator") visited 
> a site that exploited a firefox flaw while doing its homework, or if 
> they want to just be able to delete their child's account and remake it, 
> I imagine they would not agree.
>
> In any case, my advice is still valid to those that care about what 
> happens to their things (and who become stressed by intrusions) if not 
> to a certain demographic peculiar to traditional geek-Linux.

You're describing a security model where the default account has direct
administrative privileges, which isn't true in Ubuntu.  Administrative
rights are only granted indirectly through sudo when necessary.

Ask a user who just bought a computer whether they expect to be able to
install software, configure the network, etc.

Yes, it's a good idea to create a new account for a secondary user who
doesn't need administrative rights, but it is also perfectly reasonable to
use the default account in Ubuntu for day-to-day usage.

-- 
 - mdz

More information about the sounder mailing list