Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Re^5: Greetings and salutations | sudo

by afoken (Canon)
on Mar 03, 2020 at 21:04 UTC ( #11113738=note: print w/replies, xml ) Need Help??


in reply to Re^4: Greetings and salutations | sudo
in thread Greetings and salutations | sudo

How about sticking to the original unix ideal, with a root account. Only root can modify the system.

That simply does not scale. Yes, it's ok if you have exactly one admin. Maybe if it's your own single-user machine. But if you have a bunch of servers, perhaps distributed across more than one location, this will not work. You don't want to have a biological single point of failure, and you do not want to share the root password. That's why Unix has a wheel group, and the Debian people decided that it is better to have a sudo group. You need several admins, and you need to have a log who messed up which parts of the system. That's why sudo can log so much information. And that's why sudo can be tweaked to grant only limited root access.

Slackware still runs that way.

That's not correct. Out of the box, Slackware demands a root password, and installing sudo is optional. In the default setup, sudo is installed, but you have to adapt it to your local policies. You have to do that anyway, and as usual, Slackware does not enforce a specific configuration.

In the most simple case, uncomment one of the three group configurations from /etc/sudoers, and add one or more users to either the wheel or the sudo group:

## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command # %sudo ALL=(ALL) ALL

Starting from the last line, this is the Debian way of configuring sudo. Admins are members of the sudo group, and have to enter their password to gain root privileges.

In the middle, you find the classic Unix setup. Admins are members of the wheel group, and get root privileges without entering a password.

And the first variant is the secure way of the classic Unix setup. Admins are members of the wheel group, but they have to enter their password. That's what Debian should have done.

Any user with sudo can become root and backdoor a system

No. It depends on the configuration of sudo, and in the out-of-the-box configuration of Slackware, adding users to the wheel and/or sudo groups does not grant any privileges. If you choose one of the all-or-nothing group setups from the default configuration, yes, any user that is member of the respective group has full root privileges. This is the common setup for a single-user machine.

BUT:

In a multi-user, multi-server setup, you will use more complex sudo configuration, granting various privileges to various users. You can select applications, hosts, users, and you can even choose if sudo requires a password for each and every of the combinations. The sudoers man page has examples, but it was probably the inspiration for the right-hand side of https://xkcd.com/1343/. Scroll down to the "EXAMPLES" section. And in such a setup, there are probably several users who can use to gain limited root privileges, but only a few or even none can get sufficient privileges to install a backdoor or simply get a shell with root privileges.

Oh, and by the way: Slackware also installs su (in the required package "shadow"), setuid root and prompting for the root password, this will give anyone knowing the root password an unlimited root shell. That's why you don't share root passwords. People are very bad at keeping secrets. See also Rubber-hose cryptanalysis.

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

Replies are listed 'Best First'.
Re^6: Greetings and salutations | sudo
by bliako (Parson) on Mar 04, 2020 at 18:12 UTC

    This is very informative, thanks. For me your strongest argument is that with sudo, many "roots" are possible and each has its own tracelogs. (I guess a sudo-er can not destroy his or other sudo-ers log files right?). Granted. This is the picture from the ground and you present it nicely. But there is also the biggest picture - which I concentrate more because I do not have to solve practical problems in my day-to-day. Like the ones you present.

    So, for example, despite that sudo's real use-case is mutli-location, big corporation servers, sudo has also been promoted to ubuntu-type desktop users. Really hard and with great zeal! I already mentioned that most wiki/howtos around mention the word sudo a dozen times each. IMO the only purpose is to dumb-down and short-circuit Unix security. At the time where an un-firewalled machine on the net lasts only a few hours, at a time that registering to any stupidwebsite.com, just to file a bug for their stupid platform, requires a military-strength password!!! In these times, some wiki/howto author comes and brainwashes us that forget a root password, use your own to bootstrap to root. And they don't even put a warning: "I told you to get rid of your car's seatbelt so that grabbing beers and cigarettes from the back seat becomes easier and that enhances your overall driving experience, but also risks your life.".

    Regarding Windows, I noticed that they do not at all promote administrator account! I may exaggerate but only a bit if I said 9/10 of non-IT windows users do not know an admin account even exists. And I have just learned, that the only root in my OSX is Apple Inc.!!xE+99 (see SIP)

    Three different models of security, plus, the fourth, the traditional Unix security. Two of them are totally *!%$$%. While the third has only its merits promoted and not its risks. The fourth is how things were done.

    btw, from the link you posted I learned about Chris Msando, a true IT hero it seems to me.

    bw, bliako

Re^6: Greetings and salutations | sudo
by zentara (Archbishop) on Mar 04, 2020 at 17:26 UTC
    I'll never accept sudo. :-) Slackware installs sudo, but it does nothing. There should always be one root, with control over the system. Sudo is just an attempt to weaken unix security. I use Slackware and su is perfectly suitable to switch users as long as you have the password. On these sudo based systems, all any user needs to do to gain root access is do "sudo passwd root" and you have full root priviledges. If a user wants to install software and root refuses to put it into the system, the package managers should just install it into the users home directory, and use LD_PRELOAD to load non-system libraries., or adjust the user's LD Library env variable. There is absolutely no reason to allow non-root users access to the system libraries. Do you know what a shim attack is? Sudo makes shim attacks easy, but apparently that is what the computer overlords want. It is no wonder that so many database and personal information leaks are happening.... I point the finger at sudo.

    P.S. Don't get me started on systemd, another piece of useless software. :-)


    I'm not really a human, but I play one on earth. ..... an animated JAPH
      $ sudo passwd root [sudo] password for root:

      I don't get it. If I know root's password, I already have the full access. If I don't, the command doesn't help in any way. Or maybe openSUSE uses a different sudo?

      map{substr$_->[0],$_->[1]||0,1}[\*||{},3],[[]],[ref qr-1,-,-1],[{}],[sub{}^*ARGV,3]
        $ sudo passwd root [sudo] password for root:

        I don't get it. If I know root's password, I already have the full access. If I don't, the command doesn't help in any way.

        (You are aware that this is the passwd program is prompting for the new password for root, not sudo asking for the current password for root, aren't you?)

        This looks like a single user sudo setup. In a multi-admin-setup, sudo would either prevent access to the passwd executable, or it would require that you pass a non-root username argument to passwd. sudoers has an example for that:

        pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *ro +ot*

        The user pete is allowed to change anyone's password except for root on the HPPA machines. Because command line arguments are matched as a single, concatenated string, the * wildcard will match multiple words. This example assumes that passwd(1) does not take multiple user names on the command line. Note that on GNU systems, options to passwd(1) may be specified after the user argument. As a result, this rule will also allow:

        passwd username --expire

        which may not be desirable.

        In a multi-admin setup, you would probably have only a few admins that can change passwords. Or maybe you have a central password database (NIS, LDAP) that comes with an independant tool to manage users.

        Or maybe openSUSE uses a different sudo?

        Most likely not. As far as I know, there is only one sudo. But sudo can be compiled with tons of options, and most likely, at least PAM support is enabled on openSUSE. Slackware explicitly disables PAM.

        Update:

        The same command looks quite different on Slackware. I think the reason for that is that Slackware does not use PAM at all.

        /home/alex>sudo passwd root Password: Changing password for root Enter the new password (minimum of 5 characters) Please use a combination of upper and lower case letters and numbers. New password:

        (And yes, I use sudo in a single-user setup. My unprivileged user account is in the wheel group, and sudo is configured to prompt for a password.)

        Alexander

        --
        Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://11113738]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (4)
As of 2020-05-27 02:56 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    If programming languages were movie genres, Perl would be:















    Results (152 votes). Check out past polls.

    Notices?