Page 3 of 10 FirstFirst 12345 ... LastLast
Results 21 to 30 of 100

Thread: Sudo=Bad Security!

  1. #21
    Join Date
    Dec 2004
    Beans
    2

    Re: Sudo=Bad Security!

    Guys, the entire point of sudo is to be able to delegate certain tasks to other junior administrators on full multi-user systems and not entrust them with the root password. In addition to delegation, sudo frees you from changing the root password when an employee leaves the company.

    Giving everyone ALL=(ALL) ALL is a patently bad idea and it's (hopefully) not used this way. Only one or two administrators should have this ability. sudo is indispensible in medium to large environments.

    The old style of using "su" and disclosing the root password thinking is obsolete and should be frowned upon.
    Last edited by syndicate; May 4th, 2005 at 01:49 PM.

  2. #22
    Join Date
    Nov 2004
    Beans
    2,614

    Re: Sudo=Bad Security!

    NB:This will be a very long-winded post, as I'm going to respond to everyone 's factual and logical mistakes. If you want to see my take on Ubuntu's policy, scroll to the end.

    Quote Originally Posted by Xgates
    This sudo thing, it's bad security, someone gets into the user account then they have your box simpler than if there was a root password on it.
    No, it doesn't. A password is a password. I just have to get the right password.

    Having that root password means twice the effort is needed to get root on the box,
    No, it doesn't. It just means I have to get the root password instead of the user's password.

    You're operating under the assumption that a root password will be harder to steal than a user's password. Realistically, that's rarely true. Most people who you could persuade to give you their account password would also be willing to give you the root password. Even if they know the importance of root. This is what social engineering is all about.

    And if you remove the human factor, stealing one password becomes as equally likely as stealing another: you're relegated to brute-force style attacks. At which point, attempting to gain root is no harder than gaining a user's password. At least these days, anyway.

    now with people using Ubuntu only as sudo, all a cracker needs to get is the user account to gain control.
    And all they need without sudo is to get the root password.

    You're making the false assumption that a root password is somehow automatically more secure than a user's password. It's not. It's security still depends on the exact same factors. So without a compelling reason to believe that a root password is more secure, you're whole argument is reduce to illogic.

    like this sudo ONLY thing going around thought for the sake of all the windows users, moving over to Linux, trying to make it easier, for the sacrifice in security.
    It's not a sacrifice, it's a distinct trade with good points and bad points. Just like having a root account has good points and bad points. I'll go over the benefits/costs of both below.

    And if the Ubuntu thinking here was to keep people from logging into their box as root then this is not good Unix teaching.
    I think it was to remove the need to use the account interactively as much as possible, or at least minimize it to the greatest extent possible.

    Which is a sound security principle, and is taught by nearly every Linux introductory guide on the planet. UNIX too, if the guide is competently written (read: not for IRIX).

    wanting to be some wannabe Unix user looking for a easy way out, this not good Unix, or the Unix way, or did someone here forget we are running a Unix based OS.
    Yes it is. sudo isn't a Linux creation. All the BSDs have it. It runs on every commerical UNIX on the planet.

    Yes of course if the noobs log into the box as root by mistake the security is at a greater risk,
    If it's a greater risk, then why encourage the practice. Unless there's some benefit (which you've failed to mention) this statement is contradictory.

    but then you are suppose to be taught you NEVER login to Linux as root anyway,
    Except when you have to. This line of thinking is impossible to achieve, so you can't use it as an argument here.

    Lets get back to the REAL basics, and start teching the newbies the CORRECT way,
    You haven't shown how having a root account for interactive use is the correct way. And the enterprise would tell you that you're generally wrong. Enterprise systems, especially those that are co-sysadmined, tend to not have root access at all. The password is set to something fendishly long and locked away in a safe, and no one using the system knows it. Everyone uses sudo for any privileged access.

    The only difference is their policy tends to be tighter than the one used in Ubuntu. But I'll cover that as well, below.

    especially when you are compromising the box by doing it when this is not correct.
    It's not compromising the box. sudo isn't some instant root-kit vector or something. You clearly don't understand what it's capable of, or how to apply it to a security scenario.

    Teaching never login as root with a REAL box that has a root account, this is the Unix way!
    Yeah, and guess how you do it *survey says*: sudo.
    What other way do you purpose to do privileged tasks? Short of coming up with some sort of terrible hack using capabilities, or RBAC or MAC using SELinux or similar applications, there is no other solution. And you certainly don't suggest those alternatives so I'm forced to conclude you didn't intend for us to use them, either.

    You get a TISK TISK for bad thinking --->
    No, you do, as it's patently obvious you didn't think this rant through before posting.

    Quote Originally Posted by HungSquirrel
    Windows should implement something similar in Longhorn where the Administrator should have to input a password every time he does something that could mess up the system (install/remove/configure software/hardware, run Windows Update, etc.). Many of the problems associated with Windows would be less severe if they did what Ubuntu does.
    No, this is also incorrect. There are basically two cases to consider: home users and enterprise/corporate users.

    1. For home users, they're just going to enter the password anyway. It's not an effective deterrent to make them stop doing what they want to do; it just gets in their way
    2. For corporate users, they can't do those privileged things anyway, so it's irrelevant.
    Passworded access to privileged is good for proving you are who you say you are. It's also useful in case of an account compromise through means other than a password; the attacker only has access to the account, not the privileged functions available through sudo, as they've failed to compromise it.

    Since many daemons have to run as a user to access the user's files (and this i more secure than running as root) this is an important security consideration. It's also one reason why sudo requires a password to perform privileged tasks: it prevents privilege elevation in the event of an expolit of one of these daemons.

    Quote Originally Posted by dabeej
    Seeing how most security attacks are for and against root accounts with weak passwords.
    No, they're not. On UNIX and Linux, most security exploits don't involve passwords at all.

    Quote Originally Posted by panickedthumb
    If you make your password complex, it's just as hard to crack as a root password. So what's the big deal?
    Actually, password complexity is meaningless since the advent of rainbow tables. Length is the only variable that determines how hard a password is to crack with a rainbow table. And rainbow tables for passwords up to 14-characters in length can be purchased, and the password cracked in a matter of minutes.

    This is an aside, but an important one. While rainbow table attacks aren't terribly widespread yet (and only useful in the event of a compromise of /etc/shadow or wherever your passwords are stored) they do show that ironically, password "strength" is a mostly meaningless exercise.

    Also, sudo prevents you from accidentaly doing something you don't want
    No, it really doesn't. The idea that having to type a password before you run a command is going to make you less likely to run the command is a fallacy. Hell, sudo doesn't even prompt you every time by default.

    If you decide you're going to run something, having a password prompt isn't going to make you think twice. And even if it will make you personally think twice, it won't make everyone think twice, so it's not a very good argument for using sudo.

    Quote Originally Posted by HungSquirrel
    In remote login scenarios with root logins disabled, having to crack two passwords (user, then root so you can su) makes the system more secure.
    Only slightly. Performing the same "hard" task twice is a linear increase in difficulty. Which may be a sufficent deterrent. But given that most exploits (ignoring social engineering) aren't password related, this isn't a great reason to justify having a root account w/ password, although it is a valid one.

    It still comes down to: "Is the root password going to be any harder to acquire than the user's password?" The answer to that is generally no when you have a passworded root account.

    Quote Originally Posted by nocturn
    Condisder this:
    $ ./configure; make
    $ sudo make install

    instead of running the configure and make as root to, it doesn't need it.
    Sadly, this is a false example, as I can do that just as easily with su:
    Code:
    ./configure
     make
     su -c "make install"
    So this isn't a reason to use sudo either.

    The safest, but less comfortable way IMO is to have a userID you use to sudo from (different from your working ID).
    You're going to provide support for this. Once again, unless you can show compromising that account to be harder, it's not true.

    Quote Originally Posted by wmcbrine
    There's a difference: it's possible in some circumstances to get into a user account without knowing the password,
    Most circumstances, realistically. Most exploits aren't password related.

    (Users can't even read the hashed passwords in /etc/shadow; and if they could, they'd still need to crack them.)
    Cracking them is trivial once /etc/shadow is gotten. Very trivial, in fact.

    By inactivating the root account, Ubuntu removes one obvious target for crackers.
    System daemons still run as root and are still compromisable. The next correct step is to implement RBAC or MAC via something like SELinux.

    Consider: guess root password vs. guess user name AND password.
    Guessing a username on a box is pretty trivial. Certain usernames are extermely common, and you have a very high chance of guessing it correctly. Certainly high enough that if you were going to randomly brute-force systems for weak passwords (e.g., that SSH brute-force attack that's been going for several months now) the username isn't a problem.

    Quote Originally Posted by wmcbrine
    exactly. it's much harder to break into a user account and guess the password than to break into the root account, since you don't need to pw to break into a root account, or any others
    What you say here makes no sense. You either need the password, or a piece of software to exploit. Software exploits aren't a relevant reply to his comment.

    Quote Originally Posted by goofrider
    Traditionally, we have a very strong root password, and users have weaker passwords (out of convinience). However, on an sudo system, it must be stressed that every sudoer must have a user password as strong as what they'd use for a root password, otherwise, their user accounts would be a single weakness of the password chain.
    While what you say is true, as I've pointed out twice before, the importance of password strength now is almost irrelevant. In the event of an /etc/shadow compromise I already know your password. By the time you've figure out that the compromise occured, I will have already accessed every account on the compromised system.

    While strong passwords are still important to resist random-brute force attacks like the one I mentioned above, you don't need two levels of strenght. The password simply needs to be strong enough to resist certain basic levels of brute-forcing. Unprivileged user passwords should be that strong to, to prevent compromise of the system among other vectors.

    Quote Originally Posted by nocturn
    4) Yes, every sudoer should be capable of being root in any case. Actually, this puts sudo at an advantage over giving several people root because actions are logged (unless you sudo su -, but this is also logged).
    No, they should not. Ideally, no one should be able to get a root shell at all, as that breaks the audit trail. And I've seen systems implemented where this is the case: root shell access was impossible, and only a select few of the people who could run sudo could change /etc/sudoers.

    Anyway, now that train wreck is over, let's talk about the realities of Ubuntu's sudo decision. It has advantages and disadvantages, which I'll cover in turn. Specifically, compared to the traditional interactive root account way.
    Advantages:

    • It's more convinent for the home user. They don't have to remember two passwords, and they don't have to login in a completely seperate session to perform privileged tasks (ala Windows).
    • It does provide an audit trail for actions performed. Note in this specific that this would be useless in the case of an intrusion, as an attacker could easily wipe the log. However, it is useful for debugging and other purposes.
    • It allows for more fine-grained control over system privilege, though Ubuntu currently doesn't do this. Something which needs to be changed. Even a Windows XP level of administrators and users would be sufficent.
    Disadvantages:

    • In the event of a password compromise, it does mean the attacker has a full access to the system. However, this isn't as bad as it sounds. Realistically as I said above, the most common methods of gaining a password are going to yield the root password just as easily as the user's password. As such, this is not a realistic disadvantage. I'm going to say that again, as people will ignore it:

      The above point is NOT a realistic disadvantage to Ubuntu's method.
    • It doesn't limit the user's ability to perform privileged tasks in any way, which has benefits beyond security. To be fair, having a root account has this same disadvantage.
    As much as I'd like to see the sudo policy be more than it is, that's not a workable solution with just sudo. This would require taking away more control than is possible from the user. It might be a workable solution using SELinux + sudo or similar, but that is sometime off. Even then, I'm not sure I'd be comfortable shipping a desktop distribution like that.

    So it looks to me like the sudo method has some positive advantages, and the only disadvantages it has are shared with having a root account anyway.

    The simple fact of the matter is that the security of a password comes down to one thing and one thing only: the user who holds it. Holding two passwords instead of one doesn't make anything more secure unless the user treats one password more secure than the other. In this day and age, that's not really a very sensical policy, unless the user is capable of memorizing >14 character passwords. In which case, they could just memorize one long password instead of two.

  3. #23
    Join Date
    Mar 2005
    Beans
    947
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Sudo=Bad Security!

    Quote Originally Posted by LordHunter317
    Guessing a username on a box is pretty trivial. Certain usernames are extermely common,
    I can't agree with that, unless you mean "users" like daemon, mail, or nobody. You might be able to guess a username if you knew the real name(s) of (some of) the user(s), or their account names elsewhere; but that's an extra layer of knowledge to get past.

    Of course it also depends on the size of the system. I get the impression you're thinking of a big one, with a lot of user accounts to choose from. Me, I'm thinking of my own boxes, with only 1-3 regular accounts each.

    Or do you mean "a box" as in "some box, out of a large pool" rather than "any given box"? That may be, but it's not really relevant to the individual user.

    Quote Originally Posted by LordHunter317
    Quote Originally Posted by wmcbrine
    exactly. it's much harder to break into a user account and guess the password than to break into the root account, since you don't need to pw to break into a root account, or any others
    Um, that wasn't me, it was panickedthumb.
    Last edited by wmcbrine; May 5th, 2005 at 05:04 AM.

  4. #24
    Join Date
    Nov 2004
    Beans
    2,614

    Re: Sudo=Bad Security!

    Quote Originally Posted by wmcbrine
    I can't agree with that, unless you mean "users" like daemon, mail, or nobody.
    Look at the brute-force SSH attack that's be ongoing for a very long time now. It uses precanned usernames (e.g., bill, bob, jill, administrator) and gets enough hits to obviously still be worth running.

    Of course it also depends on the size of the system. I get the impression you're thinking of a big one, with a lot of user accounts to choose from. Me, I'm thinking of my own boxes, with only 1-3 regular accounts each.
    Obviously your odds of sucess with random guesses go up as the number accounts increase.

    But the point still is: if I randomly attacked only the account "john" on boxes on the Internet, I'd still probably get enough hits to be worth my while.

    If my goal is a specific machine, then trying to learn the username first instead of randomly guessing might be worthwhile. But the reality of it is that you're more likely to be hit by a random-guess attack then one targeted specifically at your account and machine.

    Or do you mean "a box" as in "some box, out of a large pool" rather than "any given box"? That may be, but it's not really relevant to the individual user.
    It still is, just less so. Your box is on the Internet, right? That's a large pool of boxes.

    Um, that wasn't me, it was panickedthumb.
    My apolgoies. It's hard to review a post that long and be sure everything is correct.

  5. #25
    Join Date
    May 2005
    Beans
    142

    Re: Sudo=Bad Security!

    I'm not so sure if sudo = bad security but I can certainly say that having sudo is starting to get on my nerves.

    Luckily, we are able to change this easily but I wanted to ask, what security threats posses this machine now that it had sudo? It certainly looks like the default account that's created has been given some power and I would like to thoroughly understand how this is achieved in this distro.

    BTW, is there an full online doc on how Ubuntu works? I've tried searching for docs and even though they are helpful, I haven't seen a full documentation on Ubuntu.

  6. #26
    Join Date
    Nov 2004
    Beans
    2,614

    Re: Sudo=Bad Security!

    Quote Originally Posted by sprucio
    but I can certainly say that having sudo is starting to get on my nerves.
    Running a root shell is no less annoying unless you have to do multiple tasks. In which case, you can easily run 'sudo -s'.

    Luckily, we are able to change this easily but I wanted to ask, what security threats posses this machine now that it had sudo?
    If you just re-enable the root account, you effective have two passworded root accounts. Compromise of your password or the root password means that the system has been fully compromised.

    As I showed eariler, how much of an actual real-world risk that is a matter of some debate. If your passwords are "strong" and you are responsible with them, you probably haven't increased your risk in any measurable way.

    It certainly looks like the default account that's created has been given some power and I would like to thoroughly understand how this is achieved in this distro.
    Via the /etc/sudoers file, like always with sudo. I'm sure that's not the answer you want, but I don't understand the question, either.

  7. #27
    Join Date
    Oct 2004
    Location
    Canada
    Beans
    208

    Re: Sudo=Bad Security!

    The biggest gain in security is not with the system but with the user. The reason most people log in as admin (or a user with those rights) on Windows is that it is a pain to log in and log out again just to do something like installing a piece of software. Sudo allows the user root/admin access when they need, without getting in the way much, which is good, otherwise they would log in as admin to save the trouble.

    So basically, it makes it more secure by making common admin tasks easier to perform in a secure way.

    Corey

  8. #28
    Join Date
    Apr 2005
    Location
    Toronto
    Beans
    77

    Re: Sudo=Bad Security!

    Quote Originally Posted by Burgundavia
    So basically, it makes it more secure by making common admin tasks easier to perform in a secure way.
    This is the point I like about sudo. Hackers and crackers don't concern me, since more often that not, I'm the single biggest threat to my own system and have done more damage in the past than I care to admit when running under su. At least sudo is a conscious extra step on my part, particularly if I run a command that requires root access when I may not have been expecting it. I like to think it's inflicting some form of good practise on me.

    Besides, I agree with what LordHunter was saying (at least, what I think he was saying, that was a lonnnggg post ), I can't imagine why my root password would be more secure if someone could obtain my personal one. And if they gain physical access, it really doesn't matter either way.

    Of course, that's just my $0.02 for my situation. I don't run with open ports and am already behind a very secure firewall when on the net, so I'm not concerned about casual drive-by attempts from the net for hacking my system. I guess everyone has a different measure of where they stand on the secure vs convenience curve....

    Cheers,
    KV

  9. #29
    Join Date
    Dec 2004
    Location
    EU - Belgium
    Beans
    1,625

    Re: Sudo=Bad Security!

    Quote Originally Posted by LordHunter317
    Sadly, this is a false example, as I can do that just as easily with su:
    Code:
    ./configure
     make
     su -c "make install"
    So this isn't a reason to use sudo either.
    You are correct, and many people already use su for this, but in reality, a great number of people just log in as root and run all commands like that.
    When logged in as unprivileged user (and sudo rights) you automaticly tend to type the extra prefix only when needed.
    Linux user #249404 - September 1997
    http://nocturn.vsbnet.be - RSS

    Before executing any commands, make sure you kow what they mean, read this first!

  10. #30
    Join Date
    Mar 2006
    Location
    San Francisco Bay Area
    Beans
    371
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Sudo=Bad Security!

    Would it be any better to have a different password for sudo access? I have also been bothered that the same password to get into my most used account also gives sudo access. Maybe this would be roughly equivalent to what someone suggested about using a sudo enabled account only when necessary - only in this case, you would use the sudo account, but only the second password rarely.

    http://www.ubuntuforums.org/showthre...=181877&page=2

Page 3 of 10 FirstFirst 12345 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •