4/6/10

Setting the record straight on sudo | Linux and Open Source


I recently read a blog posting that denounced the use of sudo as insecure because of the following (briefly summed up and paraphrased) reasons:

1.      The idea that not using the root account is wrong, using root for everything is fine.
2.      That using sudo for everything provides a false sense of security over performing an action as root directly
3.      That using a user account password to get a root shell is a bad idea
4.      That using a root shell is not dangerous, and that this “grave misunderstanding” came from the idea that running X as root is dangerous
5.      That sudo has very little place in the Enterprise
6.      That relying on sudo is foolish, because it has bugs
7.      That everything should be done from a root shell, and that you should have to know the “uber-secret root password” to get that access

My first reaction to this blog posting was that the author had no idea how to use sudo properly or why you would want to. My second reaction was to give a big thank you to Ubuntu and OS X that, by default, provide a password-less root account and give administrators sudo access to everything, which pretty much leads to these kinds of silly anti-sudo articles.

To begin with, there is nothing wrong with using the root account if it is your system or you’re the administrator. Secondly, using sudo instead of a root shell is not more insecure. That’s simply ludicrous. The only difference is that with one you require knowing root’s password, and with the other you need to know your own password. If you are in the habit of using poor passwords, yes, this could bite you — but if you are already in the habit of using poor passwords, what’s to say that the root password isn’t just as bad?

And with systems like Ubuntu or OS X, where you don’t have a defined root password, you don’t have a choice but to use sudo (or to create the root password yourself but, in the end, the insecurity in all of this isn’t the software, it’s the end user coming up with poor passwords).

And the reason that people are very much discouraged from using X as root is because if you have a full GUI session as root, chances are you will fire up a browser, or an email client, or some other program that can have devastating effects on the system if compromised. This just makes sense. Running Firefox as an unprivileged user is a million times safer than running it as root, largely because those programs interact with untrusted data all the time.

As for the claim that sudo has no place in the enterprise because it has bugs, that is foolish as well. All software has bugs — sudo is no exception. Why not a bug in su? Or PolicyKit? Or SELinux? By that argument, no software should be trusted at all. As for the enterprise, sudo is almost a necessity in the enterprise because it provides logging so you can audit which user did what, and when. For instance, using sudo /etc/init.d/httpd status yields the following syslog entries:

Mar 13 21:03:13 hades sudo:   joe : TTY=pts/2 ; PWD=/home/joe ; USER=root ; COMMAND=/etc/init.d/httpd status

whereas with su, using su root -c /etc/init.d/httpd status:

Mar 13 21:04:25 hades su: pam_unix(su:session): session opened for user root by joe(uid=1001)
Mar 13 21:04:25 hades su: pam_unix(su:session): session closed for user root

The difference should be obvious. With sudo, we clearly know what joe did, when, and with what user privileges. With su, all we know is that joe opened a root session. Was it to run a root shell? Execute a command? If so, which command? There is absolutely no auditable information here at all. With sudo, and the ability to tightly delegate commands, you do not have to provide full, unfettered access to the system; you can provide access to exactly what they need. If joe only needs to be able to manage Apache, he does not need full system access as root, to do anything he wants. How this is supposedly more insecure, I have no idea.

Finally, the assumption that you have to use your own password with sudo is wrong again. You can tell sudo to authenticate against a particular user’s password instead, by adding to /etc/sudoers the following:

Defaults timestamp_timeout=0,rootpw

Now sudo will always ask for a password, and it will always be root’s password.

I really have a problem with the blanket assumptions people make about sudo, especially when they are wrong. Used correctly, it is a fantastic tool. Yes, it has had security problems in the past, but they have always been dealt with quickly (by both the upstream kernel and the Linux vendors providing it). Yes, Ubuntu and OS X use it in a very poor fashion, but their defaults are not sudo defaults.

Unfortunately, they have to use sudo in this fashion because the root users don’t get passwords by default. Without configuring sudo as they do, no one would get root privileges on these systems, even those that should have it.

It would be nice if people ranted about things that deserved it: sudo is just a tool, and it is very good at what it does. It is essential in the enterprise where PCI-DSS compliance is required, or any kind of auditing or logging is desired. The problem is when people don’t bother reading about its features or think that the defaults provided by one or two operating systems is “the norm” for sudo. It isn’t, and sudo shouldn’t bear the brunt of the criticism: poor configurations of sudo should.

Posted via web from bithacker's posterous

No comments:

Post a Comment