Using sudo to Keep Admins Honest? sudon't!

Thu Nov 9 19:22:14 GMT 2006

Matt Zimmerman wrote:
> On Sun, Nov 05, 2006 at 11:26:22PM +0000, Tristan Wibberley wrote:
>> Matt Zimmerman wrote:
>>> It's straightforward to escalate to root from
>>> a user who uses 'su' and a root password as well, if you have their
>>> password.  It just requires that the attacker wait until the next time the
>>> user runs su.
>> sudo is, indeed, an improvement over su - but it only mitigates the cost 
>> of root security breaches (audit trails) and doesn't do much new to 
>> prevent them beyond making privilege assignment more fine grained (it is 
>> cheaper to revoke privileges if you lose trust in an administrator's 
>> management and use of his own account - but other than that, nothing 
>> significant).
> 
> sudo fills a different need than su.

I don't agree.

> It allows a user to be granted
> administrative privileges in a manner which is a good balance of security
> and convenience.

I think that's a better way of filling the same need, but I don't think 
there's much point

>>>> You should *never* use your default account for day-to-day usage.
>>> Such a configuration is perfectly adequate for most desktop users.  The
>>> truly paranoid should never use privilege escalation at all, and only
>>> administer from a direct login on the console.
>> If you ask most desktop computer users whether they want to have to 
>> totally wipe their systems (and take emergency precautions to protect 
>> their finances) just because their child (read "administrator") visited 
>> a site that exploited a firefox flaw while doing its homework, or if 
>> they want to just be able to delete their child's account and remake it, 
>> I imagine they would not agree.
>>
>> In any case, my advice is still valid to those that care about what 
>> happens to their things (and who become stressed by intrusions) if not 
>> to a certain demographic peculiar to traditional geek-Linux.
> 
> You're describing a security model where the default account has direct
> administrative privileges, which isn't true in Ubuntu.  Administrative
> rights are only granted indirectly through sudo when necessary.
> 
> Ask a user who just bought a computer whether they expect to be able to
> install software, configure the network, etc.
> 
> Yes, it's a good idea to create a new account for a secondary user who
> doesn't need administrative rights, but it is also perfectly reasonable to
> use the default account in Ubuntu for day-to-day usage.

Except for the users that my advice was for; those who think typing the 
password that escalates their privileges into a program - where they 
can't be sure they can trust the program since they can't be sure it 
*is* sudo - is not the proper way to use their computers.

There *are* such users, and those users *do* need to know of the hole 
and reiterating that one portion of users will accept that security hole 
(grudgingly, IMHO) doesn't change that fact.

BTW, this can be solved to be both convenient *and* secure it is just a 
lot of work to do it, but I got into a futile argument for this idea 
before so I'll refer readers to search the mailing list for the 
discussion rather than end up in another big argument.

-- 
Tristan Wibberley

These opinions are my own, and do not reflect those of my employer.