Using sudo to Keep Admins Honest? sudon't!

Friday Nov 3rd 2006 by Charlie Schluting

sudo has its time and place, but if you're using it to keep your admins honest, or just because it's what everybody uses, it's time to rethink your security strategy.

The consensus among many Unix and Linux users seems to be that sudo is more secure than using the root account, because it requires you type your password to perform potentially harmful actions. While sudo is useful for what it was designed for, this thinking is flawed, and usually comes from inexperience.

The concept behind sudo is to give non-root users access to perform specific tasks without giving away the root password. It can also be used to log activity, if desired. Similar functionality can be found in operating systems with role-based access control (RBAC). Solaris 10, for instance, has greatly improved RBAC capabilities; so you can easily allow a junior admin access to Web server restart scripts with the appropriate access levels, for example. And while Linux has recently acquired RBAC capabilities through the integration of SELinux, sudo remains in common use, even though more widespread use of RBAC will eventually make it a redundant choice.

Sudo is supposed to be configured to allow a certain set of people to run a very limited set of commands, as a different user. Unfortunately, sysadmins and home users alike have begun using sudo for everything. Instead of running 'su' and becoming root, they believe that 'sudo' plus 'command' is a better alternative. Most of the time, sysadmins with full sudo access just end up running 'sudo bash' and doing all their work from that root shell. This is a problem.

Using a user account password to get a root shell is a bad idea.

Why is there a separate root account anyway? It isn't to simply protect you from your own mistakes. If all sysadmins just become root using their user password by running sudo bash, then why not just give them uid 0 (aka root) and be done with it? For a group of sysadmins, the only reason they should want to use sudo is for logging of commands. Unfortunately, this provides zero additional security or auditing, because an attacker would just run a shell. If sysadmins are un-trusted such that they need to be audited, they shouldn't have root access in the first place.

Surprisingly, the home-user rational makes its way into the workplace as well. The recurring argument is that running a root shell is dangerous. Partially to blame for this grave misunderstanding are X login managers, for allowing the root user to login. New users are always scolded and told that running X as root is wrong. The same goes for many other applications, too. As time progressed, people started remembering that "running as root" is wrong, passing this notion down to their children, but without any details. Now that Ubuntu Linux doesn't enable a root account by default, but instead allows full root access to the user via sudo, the world will never be the same.

People praise sudo, while demeaning Windows at the same time for not having any separation of privileges by default. The answer to security clearly is a multi-user system with privilege separation, but sudo blurs these lines in its most common usage. The Ubuntu usage of sudo simply provides a hoop to jump through, requiring users to type their password more often than they'd like. Of course this will prevent a user's web browser from running something as root, but it isn't security.

We'd really like to focus on the enterprise, where sudo has very little place.

The sudo purists, or sudoists, we'll call them, would have you run sudo before every command that requires root. Apparently running 'sudo vi /etc/resolv.conf' is supposed to make you remember that you're root, and prevent mistakes. Sudoists will also say that it protects against "accidentally left open root shells" as well. If there are accidental shells left on computers with public access, well that's an HR action item.

Sudo doubters will quickly point out that using sudo without specifically defined commands in the configuration file is a security risk. Sudoist user account passwords have root access, so in essence, sudo has un-done all security mechanisms in place. SSH doesn't allow root to login, but with sudo, a compromised user password removes that restriction.

In a true multi-user environment, every so often a root compromise will happen. If users can login, they can eventually become root, and that's just a fact of life. The first thing any old-school cracker installs is a hacked SSH program, to log user passwords. Ideally, this single hacked machine doesn't have any sort of trust relationship with other computers, because users are allowed access. The next time an administrator logs into the hacked machine, his user account is compromised. Generally this isn't a big deal, but with sudo, this means a complete root compromise, probably for all machines. Of course SSH keys can help, as will requiring separate passwords for administrators on the more important (non user accessible) servers; but if they're willing to allow their user account access to unrestricted root-level commands, then it's unlikely that there's any other security in place elsewhere.

As we mentioned, sudo has its place. Allowing a single command to be run with elevated privileges in an operating system that doesn't support such things is quite useful. Still, be very careful about who gets this access, even for one item. As with all software, sudo isn't without bugs.

No matter where you choose to fit sudo into your workflow, do not use it for full root access. Administrators keep separate, non-UID 0 accounts for a reason, and it's not for "limiting the mistakes." Everything should be done from a root shell, and you should have to know an uber-secret root password to access anything as root.

Add to | DiggThis

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved