Problems with Sudo

Arthur H. Johnson II arthur at johnsonfamilymi.us
Fri Mar 16 03:33:54 UTC 2007 

On Thu, 2007-03-15 at 23:03 -0400, Jeffrey F. Bloss wrote:
> Arthur H. Johnson II wrote:
> 
> > The alternate SSH server is actually this special one:
> > 
> > http://chrootssh.sf.net
>  
> > At any rate, nobody has really answered my question, instead they want
> > me to change my personal security policy.  Thats fine, I just want to
> 
> Your question might have been a little easier to answer had you
> provided this vital bit of information. :(
> 

I just installed chrootssh this afternoon.  I was sshing to the
"remoteuser" and running su to get to the local user.  Sudo under this
methods will not function.  If you ssh as one user, switch to another,
you can't sudo to root.

> Apparently it's your personal security policy that's in the way. You're
> jailing everyone, then selectively trying to break out and become the
> warden. While you may be able to masquerade as another inmate because
> SSH is generally allowed, all limitations should still apply including
> no privilege escalation via sudo because you've never actually "left the
> building" (for lack of a better analogy).

The chrootssh is essentially an airlock.  I don't have a lot of
sensitive information on my home network, but I like to keep things
secure, the internet is a very dangerous place.

> 
> I think if you consider things carefully you'll have to agree that
> allowing someone to break out of a chroot jail by simply logging back
> in, even "looping" in as another user, is horribly insecure and a direct
> contradiction to the goal of disallowing unwanted/privileged access via
> SSH.

Perhaps.  I've just used this "airlock" method of getting onto my home
network for years.  I'm just a curmudgeon when it comes to change,
apparently. 

> 
> Chroot jails are a dandy idea for "guests", I wouldn't change that, but
> I think you need to bite the bullet and allow plain vanilla SSH by an
> unprivileged user then invoke su or sudo as necessary from there
> rather than trying to end run chroot. The suggestions that have been
> offered with respect to access control will leave things more than
> secure enough, at least as secure as any system allowing any outside
> access at all, and certainly more secure than any system that allowed
> you to do things the way you're trying to do them now.

My fantasy thou, is that someone does "manage" to brute their way in and
not be able to escape from the jailed environment.  I doubt that will
actually happen on fully supported currently patched machines.

> 
> Or... you could always get use to the fact that you need to log in
> locally for administrative purposes. ;)
> 

I eventually gave up sometime about 1:30 am last night.  I just enabled
the root account for now untill I can either a. change my security
policy on my home network, or b. find a way to make sudo to work under
my narrow minded ways.  Most likely I'll just opt for a. eventually.

-- 
Arthur H. Johnson II <arthur at johnsonfamilymi.us>

More information about the ubuntu-users mailing list