sudo security concerns ?
mdz at canonical.com
Fri Nov 26 20:19:47 UTC 2004
On Fri, Nov 26, 2004 at 12:31:25PM +0100, Eric Feliksik wrote:
> Matt Zimmerman wrote:
> >This was discussed months ago; the reality is that this doesn't open any
> >holes which don't already exist due to the inherent design of programs like
> >su and sudo. Anyone who has control over a uid with access to su or sudo
> >has control of root as well..
> That's interesting. But how can a program become root if sudo requires a
> user's password, other than sniffing keystrokes for that users' password?
Sniffing keystrokes for the user's password, placing a trojan ahead of the
real sudo in $PATH, injecting characters on the user's tty to cause commands
to be executed. There are many possible attacks.
> I always loved the unix way of running everything as user, and become
> root if you need to... Using windows with it's limited "run as
> administrator" functionality was a pain.
> But this means that running one evil program as user 1000 (sudo'er) on
> Ubuntu could compromise your system... Thereby the seperation of root
> and user for malware is no longer relevant (well, ok, the malware has to
> make use of this sudo-situation, but that's just a doorstep).
> The seperation is then only useful for preventing the legal user 1000 to
> accidentally break things (because it's not always root).
> I think this model could use some thought, then?
As I said, the situation is exactly the same with su(1), i.e. the
traditional UNIX security model. This problem is inherent to any model
which allows a user to run a privileged process under the control of a
In truth, Ubuntu's sudo-based configuration more accurately reflects the
reality of traditional UNIX system security: users who have the ability to
become root MUST be considered equivalent to root in terms of security.
Rethinking the UNIX security model is a bit beyond the scope of securing
Ubuntu at this point. ;-) There are ways to mitigate some the problems, but
they are not complete solutions, and even so would require a lot of work to
implement and maintain.
More information about the ubuntu-users