sudo security concerns ?

[Ian Malone]

<apologies if I'm dredging up an old thread, I tend to skim
the digest and haven't spotted this particular variant before>

Eric Feliksik wrote:

 > Matt Zimmerman wrote:

 >> On Thu, Nov 25, 2004 at 07:47:11PM -0800, Karl Hegbloom wrote:
 >>
 >>
 >
 >>> I'm concerned about the security of having 'sudo' available so
 >>> easily.
 >>> When I run a sudo command, it asks for my password.  That's fine,
 >>>  but the second time I run it, it does NOT ask for it.  Once you
 >>> authenticate, it remembers that and you stay authenticated for a
 >>> period of time.
 >>>
 >>> I think that opens up a security hole that could be exploited by
 >>> 'virus' or 'trojan horse' writers.  When Ubuntu becomes very
 >>> popular, it will attract virus writers just as Windows has.  If
 >>> anything has easy access to 'root', it can do pretty much anything
 >>> it wants to.
 >>>
 >>> Can sudo be configured, by default, to require a password EVERY
 >>> time you run a sudo command?

Yes it can, '$man sudoers', look for 'timestamp_timeout'.  Sorry,
the format of this file is fairly complex so I can't offer more
detailed advice of the top of my head.  Also look for visudo before
making any changes (see caveats in the sudoers manpage).

 >> This was discussed months ago; the reality is that this doesn't open 
 >> any holes which don't already exist due to the inherent design of
 >> programs like su and sudo.  Anyone who has control over a uid with
 >> access to su or sudo has control of root as well..
 >>

 >
 > That's interesting. But how can a program become root if sudo requires
 > a user's password, other than sniffing keystrokes for that users'
 > password?
 >

It could try a brute force attack.  I don't believe programs can
sniff keystrokes sent to other applications (since X handles them),
but I may be wrong.  (Incidentally, this is why I don't like WMs that
let windows steal focus)

 > I always loved the unix way of running everything as user, and become
 > root if you need to... Using windows with it's limited "run as
 > administrator" functionality was a pain.
 >

To be honest, the difference is the mindset.  In the Windows world
it is often considered okay to run a desktop as root.  In the Unix
world it is considered unacceptable.

 > But this means that running one evil program as user 1000 (sudo'er) on
 > Ubuntu could compromise your system... Thereby the seperation of root
 > and user for malware is no longer relevant (well, ok, the malware has 
 > to make use of this sudo-situation, but that's just a doorstep).
 >

True, but there are others as well.  On systems where there is a root
account a program could try to log in as root, or use su.  Ultimately
password protected accounts are only as strong as the password, so
pick a strong one.  The thing about sudo is that it is reliant on the
user password (by default), not the root password.  While this means
it is more important to use a strong password for your regular account,
the fact that you use it more often than you would the root one may
mean you remember it more easily.

 > The seperation is then only useful for preventing the legal user 1000
 > to accidentally break things (because it's not always root).
 >

I'm not a security expert, but I don't believe root is ever stronger
than the password protecting it.  The number of users with sudo access
should be kept small (to keep the number of passwords to root small),
uneeded external services removed, physical access to sensitive sytems
restricted etc. (ie, all the stuff you'd do to secure any other Unix).
Security doesn't stop at one point.  If you think sudo is a particular
risk in your environment, you could always run as a non-sudoer and treat
a sudoer account the way you would root on any other linux system (with
the small extra bonus that a casual attacker now has to try different
user names/uids).

-- 
imalone