Enterprise secure dapper? sudo concerns/proposal

Eric Feliksik milouny at gmx.net
Sun Apr 9 22:21:02 BST 2006 

After the thread 'cross-platform virus' that featured wild speculation, 
curiosity, and thoughtful comments, I have some sort of summary and a 
few proposals/options. I launch it here on sounder; if a 
canonical-developer thinks this is a thoughtful mail I can make a 
wiki-page and/or the discussion might be moved to -devel.

THE ISSUE:
The use of sudo in it's current setup practically means that if the 
first user account is compromised, root priviledges can be gained [1]. 
We have not seen any undertakings to really fix this issue in the short 
term.

SUMMARY:
(you can skip this if you know you know this)
sudo and gksudo have a configurable time to keep a login-ticket so that 
you don't have to enter and re-enter your password constantly. This is 
currently set to 15 minutes. It's only valid for the TTY you logged in; 
this means a password entered for sudo on tty1 is not valid in X, and a 
password entered in gksudo in X is not valid for the gksudo ran from an 
x-terminal (pts/0). There is plenty of room for malicious things, 
however. A proof-of-concept is not there yet, but we can all speculate 
on ways to sneak in. gksu might be launched by malware, to run that 
malware with root-priviledges. (Names like 'gdm-setup' faking 
'gdmsetup', 'updatenotifier' faking 'update-notifier'... no one notices).

PROPOSALS:
These are some creative thoughts, some might be more wise than others. I 
know plans like plash[2] (to reduce the amount of code ran as root) are 
on their way, but this might be useful anyway. (I suggest maintaining 
the capitalised issue names for convenience/recognition-reasons):

1) SUDO UNTRUSTED-OWNER WARNING
All programs owned by root already got in somehow; they're trusted.
gksu can safely run root-owned programs (provided the password is given, 
of course). For user-owned programs, however, a different "enter your 
password" dialog must be displayed. Joe Sixpack will probably never see 
this, unless someone is trying to mess with his system. (Because Joe 
only uses software installed via apt-get, he does not care to run weird 
user-owned scripts with sudo). Dialog contains a red alert ("trying to 
run an UNTRUSTED program!"), and the full program path for 
identification purposes. (the gdebi warning should match this somehow, 
because it's about the same risk. I personally think the gdebi warning 
could use some bolder text)

2) GKSUDO-SPOOFING
Skip this issue if you have little time: this involves wild speculation 
for a solution. The problem here is basically the previous one inversed; 
You know when sudo will run a potentially malicious program, but how do 
you know a program doesn't run a malicous gksudo-faker? Malware can 
pretend to be gksudo and sniff your password (as far as I know, I don't 
know the details of this). I don't know a good solution to fix this, but 
I'll be creative:
We might let X identify the real gksudo in some distincting way. Two 
pretty ugly options:
- It's probably possible to prevent user-owned programs from modifying 
the whole X screen, like gksudo does. (root-owned programs ran with 
user-priviledges, like gksu, *can* modify it, then). Problems are that 
this would break your user-installed tuxracer, and that it probably 
requires some heavier xorg modifications.
- implement the previous option but only for a small section of the 
screen, like a 4 pixel border. Users should only enter their 
gksudo-password if the border of the screen is red, something like that.

3) BAN 'sudo -s'
'sudo -s' is pretty dangerous, as it runs .bashrc of the user with root 
priviledges. 'sudo -i' should be used instead. I know it's nice to see 
the $PS1-settings when logged in as root, but that can be achieved in 
another way, too. I'm still using 'sudo -s', but trying to unlearn it. A 
A warning in the manpage is in place, but then still "alias sudo='sudo 
-s'" is pretty freaky. Maybe the functionality is best taken out (or, at 
least, a warning upon using -s option).

That's all for now, folks! I'm sure if forgot some leaks, but I think 
this might improve security anyway. Thanks for your time.

Eric



[1] 
https://wiki.ubuntu.com/RootSudo#head-a76e0b38808fca380fa209babb080d60ffe0ec8e
[2] http://plash.beasts.org/

More information about the sounder mailing list