sudo make you system less secure

15 replies [Last post]
alimiracle
Offline
Joined: 01/18/2014

Sorry I thought this thing with the moofed root accounts was bad, but I just saw a reference to [sudo su -] WHAT!
That has to be the worst command in the scope of security

You not only have a root accounted moofed so that
the user has to rely on the security of the sudo command without being able to verify the authentication of the issuing authority other than the configuration
of the command and that is sudo.. but now it is added as a layer of switch user (su) which is completely against the UNIX security model of never add any
layers to account access.
Logic: every layer provides one more place for a security failure..

When I first tested the sudo command by compiling the source in 2006 and found it to violate the UNIX standard security model I would have never believed

that not only would it become something people use..
When you look at commercial organizations which use secure systems you will find that sudo is NEVER a command on those systems and there is a reason.
the keyword here is security. UNIX and gnu/Linux can be secure, but it can also be unsecure.. all it takes is poor configuration, programming and bad commands
to make it so. If people do not want to learn how to keep and use secure systems, use windows.. or even some device where the root authority is embedded
in a chip like a smart phone, so the ISP can get into the system. The security designs are there because they have been working properly for over 40 years,
either adhere to proper security or plan on having a security failure.
I do understand that they are trying to make UNIX/Linux administration more user friendly so to attract more users. And from that point I am all for making
systems more friendly. BUT!, Do not make systems friendly by making them less secure.
http://www.sudo.ws/sudo/history.html

marioxcc
Offline
Joined: 08/13/2014

Hi friend.

What do you mean by "moofed" and "issuing authority"?. Bear in mind that sudo doesn't uses certificates like SSL/TLS, so there is no "issuing authority" to speak of, at least as far as I know.

I don't think that "sudo su -" is intrinsically bad for security. This is one possible use case for sudo. It makes sense in an environment where there is a set of users all of whom are all trusted system administrators, and they need to run tasks as root. The downside is that using this command, sudo doesn't by default logs every command that the administrator executes, but provided they are all trusted (all administrators are honest and responsible) then there should be no problem.

Bear in mind that using "sudo su -" is no worser than using "su -" directly.

Other than the above, I can't comment, because I don't really understand what point you are trying to make.

Regards.

alimiracle
Offline
Joined: 01/18/2014

> Hi friend.
hi my friend
> What do you mean by "moofed" and "issuing authority"?
sudo make all users to be a root

onpon4
Offline
Joined: 05/30/2012

That's not true. Sudo is an alternative to logging in as root directly which can be configured to give each user any number of privileges. In that sense, it can be much more secure; you can give each user only permission to do exactly what they need to be able to do, and nothing more. Whereas with logging in as root, you need to give someone all the root permissions, or none.

On typical user systems, like Trisquel's default settings, there is only a distinction between admins and non-admins: admins can do everything with sudo, and non-admins can do nothing with sudo. But that's not the most that sudo can do.

marioxcc
Offline
Joined: 08/13/2014

>sudo make all users to be a root

It depends on how you configure it. The man page of "sudoers" describes the format of the main configuration file which is typically "/etc/sudoers". You can allow only a few people or everybody to use "sudo". It's highly configurable.

You could even disable executing "sudo" for all users except a group of administrators by clearing (setting to 0) the "execute" bit of the sudo executable for "others" but leaving it set for "user" and "group", then assigning the group of the executable to that of the administrators. However, this is more of a hack or additional protection (maybe upgrades would override it, I don't know). You can do the same with a simple line in "/etc/sudoers". Debian by default allows only "root" and members of group "sudo" to execute sudo. Here are the relevant lines:

# User privilege specification
root ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

Regards.

alimiracle
Offline
Joined: 01/18/2014
Magic Banana

I am a member!

I am a translator!

Online
Joined: 07/24/2010

Sure, without a password, 'sudo' is insecure. And so is 'su'!

I would actually say that 'sudo' is more secure than 'su' because:

  1. with 'sudo', the privileges are automatically lost after some time (15 minutes by default), whereas it is risly to forget about an opened root terminal (obtained with 'su')
  2. when trying to access a SSH server (typically) the attacker has to discover or guess both the password and the user name, whereas the latter always is "root" when such a superuser is present by default.

And, of course, 'sudo' is far more flexible. Different permissions for different users, not necessarily "nothing" or "everything" and, true, the possibility to not ask for a password for some privileges.

I consider those arguments much better than "it is not the UNIX philosophy" (whatever that means; I bet you have the same argument against systemd!) and "commercial organizations use su" (do they?). Not to mention the problem with "the issuing authority". Neither 'su' nor 'sudo' rely on an "issuing authority".

That said, I see no point in using 'sudo' to run 'su'. 'sudo' alone is enough:
$ sudo -i

If people do not want to learn how to keep and use secure systems, use windows.

Trisquel is secure by default. If I remember well, the installer does not even accept a weak password for the user who can gain administrative privileges.

I invite anybody who values his/her freedoms to join us. Even if he/she does not want to learn anything about security!

davidnotcoulthard (not verified)
davidnotcoulthard

The point of "sudo su" would be to execute multiple commands at once like sudo su -c "command-een --anoption && command-twee && command-drie && command-vier && command-gangsal" since using sudo alone (by omitting "su -c" from the above example)for that doesn't seem possible.

Anyway, I think the not-accepting-a-weak-pasword part of Trisquel's installer was present upstream (i.e. it's Ubuntu's feature).

onpon4
Offline
Joined: 05/30/2012

The check for weak passwords is really basic, and the only actual requirement IIRC is that the password be at least a certain length (either 6 or 8 characters; I'm not sure). My password used to be quite weak before I started using encryption on my home folder.

davidnotcoulthard (not verified)
davidnotcoulthard

Anyway I don't see why people are so concerned about the "UNIX Philosophy". This ain't UNIX, after all.........

Anyway, what do you mean sudo doesn't use a password?

Magic Banana

I am a member!

I am a translator!

Online
Joined: 07/24/2010

Read the link alimiracle gave us: it considers somebody whose SSH keypair is stolen and who configured 'sudo' so that it never asks for a password.

davidnotcoulthard (not verified)
davidnotcoulthard

(Oh...I didn't know it could be configured not to ask for password. Fair enough, then).

Magic Banana

I am a member!

I am a translator!

Online
Joined: 07/24/2010

It can. Not by default though. The "NOPASSWD" tag allows a by-command specification and the users in the "exempt_group" can do anything without ever entering a password (like a "root" user). Take a look at 'man sudoers' for the syntax.

Ishamael
Offline
Joined: 08/29/2014

but systemd is backdoor :o

Magic Banana

I am a member!

I am a translator!

Online
Joined: 07/24/2010

systemd is free software: show me the backdoor.

Jodiendo
Offline
Joined: 01/09/2013

sudo-,
prefix meaning "sweat": sudogram, sudokeratosis, sudorrhe