Lack of informations about the flaw of the use of sudo

Edgard Schmidt schmidt at edik.ch
Thu Sep 22 02:04:39 UTC 2016 

Hi,
at first, I have doubts whether this is the right place for noting  
this because I see mostly meta discussions here. If it is not: I would  
be glad, if you tell me the right place.

I found some interesting texts about a fundamental flaw of the Ubuntu  
use of 'sudo' [1-4]. To summarize, let's say that an attacker can  
execute arbitrary code as a normal non-root desktop user, for example  
by making use of a browser exploit. The attacker could edit the users  
".bashrc" file and insert the following line:
alias sudo='bash ~/.malware/fake-sudo.sh'
By copying a malicious "pishing sudo" to that path, the attacker could  
hijack the users password as soon as the users calls "sudo" next time  
[5]. After that, he is able to gain root access. Thus, from a security  
point of view, it does not matter whether the regular desktop user  
runs his desktop as root or not. It makes no difference.

This security issue seems so obvious to me, that I am sure the  
maintainer already know it. However, many people do NOT know it.  
That's why I am posting this mail to the ubuntu-doc mailing-list. Am i  
right in assuming that the only purpose of "sudo" on Ubuntu is  
preventing Linux beginners from accidentally breaking their systems?  
If so, I have two suggestions:

1. The official documentation and the help wiki should point out this  
issue very plainly. Many people trust the "sudo" mechanism absolutely.  
There are a vast number of articles and tutorials which rely on  
"sudo". I am still doubtful about the issue because I cannot believe  
that so many people could err. I did not found any information about  
this problem on the Ubuntu pages but a small hint, which is likely  
being overlooked by the most readers [6].

2. In addition, some solutions, which fix this issue, should be  
described. I am not a security expert, but I guess, there exist  
possible ways:
* On desktop systems: what about disabling "su" and "sudo" and  
allowing root logins via virtual consoles and secure attention keys [7]?
* On server systems: some people recommend to restrict the permissions  
of the users for accessing their own home directories [8].

Maybe my proposed "solutions" are nonsense. Nevertheless I just want  
to communicate the "message" to you since I am sure that something is  
wrong.


1. http://dmitry.khlebnikov.net/2015/07/should-we-use-sudo-for-day-to-day.html
2.  
http://unix.stackexchange.com/questions/8581/which-is-the-safest-way-to-get-root-privileges-sudo-su-or-login
3.  
https://www.scriptjunkie.us/2016/08/the-security-pretend-game-sudo-and-runas/
4. http://www.openwall.com/lists/owl-users/2004/10/20/6
5. https://en.wikipedia.org/wiki/Login_spoofing
6. https://help.ubuntu.com/community/RootSudo#Misconceptions
7. https://en.wikipedia.org/wiki/Secure_attention_key
8. Thanks to the Freenode chatters from ##security

More information about the ubuntu-doc mailing list