Problems with Sudo

Jeffrey F. Bloss jbloss at tampabay.rr.com
Fri Mar 16 04:56:27 UTC 2007 

Arthur H. Johnson II wrote:

> > Your question might have been a little easier to answer had you
> > provided this vital bit of information. :(
> > 
> 
> I just installed chrootssh this afternoon.  I was sshing to the
> "remoteuser" and running su to get to the local user.  Sudo under this
> methods will not function.  If you ssh as one user, switch to another,
> you can't sudo to root.

Are you saying it doesn't work with the chrootssh patch, or without? 

Under chrootssh I wouldn't expect anything else because chroot
shouldn't "let go" of a session no matter what.

But under normal circumstances you should be able to SSH into a
non-sudo account, su to another account, and run sudo as long as that
"final" user is permitted explicitly by user name, or implicitly by
group. If you can't, something is amiss.

> 
> > Apparently it's your personal security policy that's in the way.
> > You're jailing everyone, then selectively trying to break out and
> > become the warden. While you may be able to masquerade as another
> > inmate because SSH is generally allowed, all limitations should
> > still apply including no privilege escalation via sudo because
> > you've never actually "left the building" (for lack of a better
> > analogy).
> 
> The chrootssh is essentially an airlock.  I don't have a lot of
> sensitive information on my home network, but I like to keep things
> secure, the internet is a very dangerous place.

Indeed. Everything is a trade off between security and usability,
starting with your decision to go on line in the first place. ;)

The airlock idea is a good one in theory, but I think you're trying to
build one that only has one door. You can enter from space, even see
the cargo bay through the transparent aluminum portal, but the inside
door has been welded shut by stray phaser fire. <g>

> > Chroot jails are a dandy idea for "guests", I wouldn't change that,
> > but I think you need to bite the bullet and allow plain vanilla SSH
> > by an unprivileged user then invoke su or sudo as necessary from
> > there rather than trying to end run chroot. The suggestions that
> > have been offered with respect to access control will leave things
> > more than secure enough, at least as secure as any system allowing
> > any outside access at all, and certainly more secure than any
> > system that allowed you to do things the way you're trying to do
> > them now.
> 
> My fantasy thou, is that someone does "manage" to brute their way in
> and not be able to escape from the jailed environment.  I doubt that
> will actually happen on fully supported currently patched machines.

That's what things like key-only authentication, port knocking, and
rate limiting are for. Any one of the three cuts brute force attacks
off at the knees. With a port knock setup attackers can't even see a
daemon until you enable it from remote. Keys make password guessing
irrelevant, and rate limiting frustrates the hell out of anyone trying
to guess passwords. Having to wait minutes between guesses makes them
move on pretty quick.

> > Or... you could always get use to the fact that you need to log in
> > locally for administrative purposes. ;)
> > 
> 
> I eventually gave up sometime about 1:30 am last night.  I just
> enabled the root account for now untill I can either a. change my

If I understand correctly... ouch! Allowing *any* direct root login from
remote is a bad idea, if for no other reason that it being the one
account an attacker can be sure actually exists. Cuts brute force time
exponentially. Better to allow direct access to an "admin" account with
sudo privileges. Make it a nonsensical user like 4garzelflop7 if you're
paranoid. Remember that brute force means guessing the user and
password combination, not just the password.

> security policy on my home network, or b. find a way to make sudo to
> work under my narrow minded ways.  Most likely I'll just opt for a.
> eventually.

-- 
     _?_      Outside of a dog, a book is a man's best friend.
    (o o)         Inside of a dog, it's too dark to read.
-oOO-(_)--OOo------------------------------[ Groucho Marx ]---
                    http://wrench.homelinux.net/~jeff/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070316/b45781fe/attachment.sig>

More information about the ubuntu-users mailing list