Re: Could sudo be an security issue?

To: debian-security@lists.debian.org
Subject: Re: Could sudo be an security issue?
From: Will Aoki <waoki@umnh.utah.edu>
Date: Wed, 14 May 2003 18:51:58 -0600
Message-id: <20030515005158.GK23836@umnh.utah.edu>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <Pine.LNX.4.53.0305150904530.14598@rave.its.vu.edu.au>
References: <Pine.LNX.4.53.0305150904530.14598@rave.its.vu.edu.au>

On Thu, May 15, 2003 at 09:17:03AM +1000, Stewart James wrote:
> 
> Hi all,
> 
> My manager just came in asking questions about sudo. We use sudo here as a
> replacement for hacing to know root passwords - in general there are
> around 5 of us who need root access to the machines we maintain. we
> typically have just fallen back to a ALL=ALL for ourselves so we can just
> prepend sudo to any command we need executed as root.

I generally use sudo more as a safety cover on the root buttons than a
guardian against root access. If an intruder has access an account from
which you perform administrative tasks, you're already pretty well
screwed, regardless of whether the malefactor has yet obtained the root
password.

> Now in his mind this is removing a level of security. If someone manages
> to get my password, they also can gain access to root via sudo. IN an

If someone gets your password, said person will likely be able to
manipulate your account so as get root the next time you su. 

OTOH, if you do want the extra security blanket, you could tweak PAM to
have sudo use a different password store or even an entirely different
authentication scheme...

> environment where I have 25+ machines, different passwords for all
> machines is not that workable.

Whether it's workable depends on how it's implemented. We assign all our
machines ID numbers for inventory control purposes. To generate
superuser passwords for our workstations, we hash the machine's number
and a secret key. The procedure generates a sufficiently unique and
random password for every machine.

Every adminstrator gets a magic deocder ring^Wprogram that can calculate
passwords. The password calculator obviously must be protected in the
same manner that you'd protect sensitive encryption keys or hardware
authentication tokens, as it's the key to your net.

If you have different classes of machines and different classes of
administrators, you can use more than one secret key to generate
passwords. A tech who should only have administrative access to a group
of user machines only gets the key used to generate their passwords.

> What are other peoples thoughts on this? Where have I gone wrong in
> implementation? What would be your recommendations in this case?

-- 
William Aoki     waoki@umnh.utah.edu       /"\  ASCII Ribbon Campaign
B1FB C169 C7A6 238B 280B  <- key change    \ /  No HTML in mail or news!
99AF A093 29AE 0AE1 9734   prev. expired    X
                                           / \

Reply to:

References:
- Could sudo be an security issue?
  - From: Stewart James <stewart.james@vu.edu.au>

Prev by Date: Re: Could sudo be an security issue?
Next by Date: Re: Could sudo be an security issue?
Previous by thread: Re: Could sudo be an security issue?
Next by thread: Re: Could sudo be an security issue?
Index(es):
- Date
- Thread