NB:This will be a very long-winded post, as I'm going to respond to everyone 's factual and logical mistakes. If you want to see my take on Ubuntu's policy, scroll to the end.
Quote:
Originally Posted by Xgates
This sudo thing, it's bad security, someone gets into the user account then they have your box simpler than if there was a root password on it.
No, it doesn't. A password is a password. I just have to get the right password.
Quote:
Having that root password means twice the effort is needed to get root on the box,
No, it doesn't. It just means I have to get the root password instead of the user's password.
You're operating under the assumption that a root password will be harder to steal than a user's password. Realistically, that's rarely true. Most people who you could persuade to give you their account password would also be willing to give you the root password. Even if they know the importance of root. This is what social engineering is all about.
And if you remove the human factor, stealing one password becomes as equally likely as stealing another: you're relegated to brute-force style attacks. At which point, attempting to gain root is no harder than gaining a user's password. At least these days, anyway.
Quote:
now with people using Ubuntu only as sudo, all a cracker needs to get is the user account to gain control.
And all they need without sudo is to get the root password.
You're making the false assumption that a root password is somehow automatically more secure than a user's password. It's not. It's security still depends on the exact same factors. So without a compelling reason to believe that a root password is more secure, you're whole argument is reduce to illogic.
Quote:
like this sudo ONLY thing going around thought for the sake of all the windows users, moving over to Linux, trying to make it easier, for the sacrifice in security.
It's not a sacrifice, it's a distinct trade with good points and bad points. Just like having a root account has good points and bad points. I'll go over the benefits/costs of both below.
Quote:
And if the Ubuntu thinking here was to keep people from logging into their box as root then this is not good Unix teaching.
I think it was to remove the need to use the account interactively as much as possible, or at least minimize it to the greatest extent possible.
Which is a sound security principle, and is taught by nearly every Linux introductory guide on the planet. UNIX too, if the guide is competently written (read: not for IRIX).
Quote:
wanting to be some wannabe Unix user looking for a easy way out, this not good Unix, or the Unix way, or did someone here forget we are running a Unix based OS.
Yes it is. sudo isn't a Linux creation. All the BSDs have it. It runs on every commerical UNIX on the planet.
Quote:
Yes of course if the noobs log into the box as root by mistake the security is at a greater risk,
If it's a greater risk, then why encourage the practice. Unless there's some benefit (which you've failed to mention) this statement is contradictory.
Quote:
but then you are suppose to be taught you NEVER login to Linux as root anyway,
Except when you have to. This line of thinking is impossible to achieve, so you can't use it as an argument here.
Quote:
Lets get back to the REAL basics, and start teching the newbies the CORRECT way,
You haven't shown how having a root account for interactive use is the correct way. And the enterprise would tell you that you're generally wrong. Enterprise systems, especially those that are co-sysadmined, tend to not have root access at all. The password is set to something fendishly long and locked away in a safe, and no one using the system knows it. Everyone uses sudo for any privileged access.
The only difference is their policy tends to be tighter than the one used in Ubuntu. But I'll cover that as well, below.
Quote:
especially when you are compromising the box by doing it when this is not correct.
It's not compromising the box. sudo isn't some instant root-kit vector or something. You clearly don't understand what it's capable of, or how to apply it to a security scenario.
Quote:
Teaching never login as root with a REAL box that has a root account, this is the Unix way!
Yeah, and guess how you do it *survey says*: sudo.
What other way do you purpose to do privileged tasks? Short of coming up with some sort of terrible hack using capabilities, or RBAC or MAC using SELinux or similar applications, there is no other solution. And you certainly don't suggest those alternatives so I'm forced to conclude you didn't intend for us to use them, either.
Quote:
You get a TISK TISK for bad thinking ---> [-X
No, you do, as it's patently obvious you didn't think this rant through before posting.
Quote:
Originally Posted by HungSquirrel
Windows should implement something similar in Longhorn where the Administrator should have to input a password every time he does something that could mess up the system (install/remove/configure software/hardware, run Windows Update, etc.). Many of the problems associated with Windows would be less severe if they did what Ubuntu does.
No, this is also incorrect. There are basically two cases to consider: home users and enterprise/corporate users.
- For home users, they're just going to enter the password anyway. It's not an effective deterrent to make them stop doing what they want to do; it just gets in their way
- For corporate users, they can't do those privileged things anyway, so it's irrelevant.
Passworded access to privileged is good for proving you are who you say you are. It's also useful in case of an account compromise through means other than a password; the attacker only has access to the account, not the privileged functions available through sudo, as they've failed to compromise it.
Since many daemons have to run as a user to access the user's files (and this i more secure than running as root) this is an important security consideration. It's also one reason why sudo requires a password to perform privileged tasks: it prevents privilege elevation in the event of an expolit of one of these daemons.
Quote:
Originally Posted by dabeej
Seeing how most security attacks are for and against root accounts with weak passwords.
No, they're not. On UNIX and Linux, most security exploits don't involve passwords at all.
Quote:
Originally Posted by panickedthumb
If you make your password complex, it's just as hard to crack as a root password. So what's the big deal?
Actually, password complexity is meaningless since the advent of rainbow tables. Length is the only variable that determines how hard a password is to crack with a rainbow table. And rainbow tables for passwords up to 14-characters in length can be purchased, and the password cracked in a matter of minutes.
This is an aside, but an important one. While rainbow table attacks aren't terribly widespread yet (and only useful in the event of a compromise of /etc/shadow or wherever your passwords are stored) they do show that ironically, password "strength" is a mostly meaningless exercise.
Quote:
Also, sudo prevents you from accidentaly doing something you don't want
No, it really doesn't. The idea that having to type a password before you run a command is going to make you less likely to run the command is a fallacy. Hell, sudo doesn't even prompt you every time by default.
If you decide you're going to run something, having a password prompt isn't going to make you think twice. And even if it will make you personally think twice, it won't make everyone think twice, so it's not a very good argument for using sudo.
Quote:
Originally Posted by HungSquirrel
In remote login scenarios with root logins disabled, having to crack two passwords (user, then root so you can su) makes the system more secure.
Only slightly. Performing the same "hard" task twice is a linear increase in difficulty. Which may be a sufficent deterrent. But given that most exploits (ignoring social engineering) aren't password related, this isn't a great reason to justify having a root account w/ password, although it is a valid one.
It still comes down to: "Is the root password going to be any harder to acquire than the user's password?" The answer to that is generally no when you have a passworded root account.
Quote:
Originally Posted by nocturn
Condisder this:
$ ./configure; make
$ sudo make install
instead of running the configure and make as root to, it doesn't need it.
Sadly, this is a false example, as I can do that just as easily with su:
Code:
./configure
make
su -c "make install"
So this isn't a reason to use sudo either.
Quote:
The safest, but less comfortable way IMO is to have a userID you use to sudo from (different from your working ID).
You're going to provide support for this. Once again, unless you can show compromising that account to be harder, it's not true.
Quote:
Originally Posted by wmcbrine
There's a difference: it's possible in some circumstances to get into a user account without knowing the password,
Most circumstances, realistically. Most exploits aren't password related.
Quote:
(Users can't even read the hashed passwords in /etc/shadow; and if they could, they'd still need to crack them.)
Cracking them is trivial once /etc/shadow is gotten. Very trivial, in fact.
Quote:
By inactivating the root account, Ubuntu removes one obvious target for crackers.
System daemons still run as root and are still compromisable. The next correct step is to implement RBAC or MAC via something like SELinux.
Quote:
Consider: guess root password vs. guess user name AND password.
Guessing a username on a box is pretty trivial. Certain usernames are extermely common, and you have a very high chance of guessing it correctly. Certainly high enough that if you were going to randomly brute-force systems for weak passwords (e.g., that SSH brute-force attack that's been going for several months now) the username isn't a problem.
Quote:
Originally Posted by wmcbrine
exactly. it's much harder to break into a user account and guess the password than to break into the root account, since you don't need to pw to break into a root account, or any others
What you say here makes no sense. You either need the password, or a piece of software to exploit. Software exploits aren't a relevant reply to his comment.
Quote:
Originally Posted by goofrider
Traditionally, we have a very strong root password, and users have weaker passwords (out of convinience). However, on an sudo system, it must be stressed that every sudoer must have a user password as strong as what they'd use for a root password, otherwise, their user accounts would be a single weakness of the password chain.
While what you say is true, as I've pointed out twice before, the importance of password strength now is almost irrelevant. In the event of an /etc/shadow compromise I already know your password. By the time you've figure out that the compromise occured, I will have already accessed every account on the compromised system.
While strong passwords are still important to resist random-brute force attacks like the one I mentioned above, you don't need two levels of strenght. The password simply needs to be strong enough to resist certain basic levels of brute-forcing. Unprivileged user passwords should be that strong to, to prevent compromise of the system among other vectors.
Quote:
Originally Posted by nocturn
4) Yes, every sudoer should be capable of being root in any case. Actually, this puts sudo at an advantage over giving several people root because actions are logged (unless you sudo su -, but this is also logged).
No, they should not. Ideally, no one should be able to get a root shell at all, as that breaks the audit trail. And I've seen systems implemented where this is the case: root shell access was impossible, and only a select few of the people who could run sudo could change /etc/sudoers.
Anyway, now that train wreck is over, let's talk about the realities of Ubuntu's sudo decision. It has advantages and disadvantages, which I'll cover in turn. Specifically, compared to the traditional interactive root account way.
Advantages:
- It's more convinent for the home user. They don't have to remember two passwords, and they don't have to login in a completely seperate session to perform privileged tasks (ala Windows).
- It does provide an audit trail for actions performed. Note in this specific that this would be useless in the case of an intrusion, as an attacker could easily wipe the log. However, it is useful for debugging and other purposes.
- It allows for more fine-grained control over system privilege, though Ubuntu currently doesn't do this. Something which needs to be changed. Even a Windows XP level of administrators and users would be sufficent.
Disadvantages:
- In the event of a password compromise, it does mean the attacker has a full access to the system. However, this isn't as bad as it sounds. Realistically as I said above, the most common methods of gaining a password are going to yield the root password just as easily as the user's password. As such, this is not a realistic disadvantage. I'm going to say that again, as people will ignore it:
The above point is NOT a realistic disadvantage to Ubuntu's method. - It doesn't limit the user's ability to perform privileged tasks in any way, which has benefits beyond security. To be fair, having a root account has this same disadvantage.
As much as I'd like to see the sudo policy be more than it is, that's not a workable solution with just sudo. This would require taking away more control than is possible from the user. It might be a workable solution using SELinux + sudo or similar, but that is sometime off. Even then, I'm not sure I'd be comfortable shipping a desktop distribution like that.
So it looks to me like the sudo method has some positive advantages, and the only disadvantages it has are shared with having a root account anyway.
The simple fact of the matter is that the security of a password comes down to one thing and one thing only: the user who holds it. Holding two passwords instead of one doesn't make anything more secure unless the user treats one password more secure than the other. In this day and age, that's not really a very sensical policy, unless the user is capable of memorizing >14 character passwords. In which case, they could just memorize one long password instead of two.