Re: Could sudo be an security issue?

To: debian-security@lists.debian.org
Subject: Re: Could sudo be an security issue?
From: Keegan Quinn <kquinn@respond2.com>
Date: Wed, 14 May 2003 16:59:52 -0700
Message-id: <200305141659.52549.kquinn@respond2.com>
In-reply-to: <Pine.LNX.4.53.0305150904530.14598@rave.its.vu.edu.au>
References: <Pine.LNX.4.53.0305150904530.14598@rave.its.vu.edu.au>

On Wednesday 14 May 2003 04:17 pm, Stewart James wrote:
> Hi all,

Hello Stewart,

> My manager just came in asking questions about sudo. We use sudo here as a
> replacement for hacing to know root passwords - in general there are
> around 5 of us who need root access to the machines we maintain. we
> typically have just fallen back to a ALL=ALL for ourselves so we can just
> prepend sudo to any command we need executed as root.
>
> Now in his mind this is removing a level of security. If someone manages
> to get my password, they also can gain access to root via sudo. IN an
> environment where I have 25+ machines, different passwords for all
> machines is not that workable.
>
> What are other peoples thoughts on this? Where have I gone wrong in
> implementation? What would be your recommendations in this case?

Well, as you probably guessed, this is a big can of worms.  You are using sudo 
the same way I am, and I believe it's proper.  Some people might consider 
this to be removing a 'layer' of security, sure - it essentially makes it so 
any admin's password is just as good as the root password, to an intruder.

Think about a scenario in which this would actually make a difference.  If 
someone has cracked any admin's password, on a normal /etc/shadow-based 
system, why couldn't they also crack root?  Sure, perhaps one could be 
sniffed, but that would point to another problem involving a lack of 
encryption.  One might argue that root should have a 'harder to crack' 
password, but I would reply that administrators should be equally protected.

So, basically, if you would really trust the integrity of your current system 
after some intruder has stolen an administrator password, then yes, using 
sudo is probably a bad idea.  Just go back to su, which has a seperate set of 
risks involving sharing the single root password.

If you (or your manager) really want multi-layered theoretical security, you 
should be taking advantage of SE Linux or something similar.  (Cue Russell 
Coker explaining how well it solves this problem ... :) )  Having a second 
password for root might be an 'additional layer of security,' but IMHO it's a 
pretty weak one.

 - Keegan

Reply to:

Follow-Ups:
- Re: Could sudo be an security issue?
  - From: Mark Ferlatte <ferlatte@cryptio.net>

References:
- Could sudo be an security issue?
  - From: Stewart James <stewart.james@vu.edu.au>

Prev by Date: Re: Could sudo be an security issue?
Next by Date: Re: Could sudo be an security issue?
Previous by thread: Re: Could sudo be an security issue?
Next by thread: Re: Could sudo be an security issue?
Index(es):
- Date
- Thread