[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sudo su gives root without prompting for a password

On Sun, 2003-12-07 at 19:33, Benedict Verheyen wrote:
> Hi,
> i recently removed the SUID bit from /bin/su.
> The permissions now look like this: -rwxr-x---
> Now i can just type "sudo su" to become root and no password
> is asked. Previously i needed to type the root password
> when using su. As a normal user, i now cannot run su anymore
> which is ok for me.
> The permissions of sudo are: -rwsr-x---

> My /etc/sudoers file looks like this:
> root ALL=(ALL)ALL
> benedict ALL= NOPASSWD: /usr/bin/find, /bin/cpio,
> /home/benedict/scripts/backup, /bin/echo, PASSWD: ALL
> The entries with NOPASSWD are because of a backup script.
> So why don't i need to type a password for running "sudo su".
> It just doesn't feel right the way it's now.
> Thanks,
> Benedict

I'm not an expert on sudo, but I believe sudo will only ask for your
password when running a binary. Also, it will only ask for the password
the first time. Therefore, if you run (for instance) `sudo find`, and
type in your password, the next time you run sudo, there will be no
password prompt from then on. Now, if you run `sudo su`, sudo will
forego asking your password, and run "su" as root. When root runs su, su
does not ask for a password (as defined in the default PAM su
configuration in Debian). As a result, running `sudo su` will give you
passwordless root access, as long as "su" is listed in the /etc/sudoers

Try entering "!/usr/bin/su" in the /etc/sudoers file. This should deny
the use of "su" through "sudo". However, this provides nearly no
security--it would be trivial to execute `sudo ln -s /usr/bin/su
/home/me/gimmeroot && sudo /home/me/gimmeroot`.

My suggestion? If being able to use "su" without a password gives you
the heebie-jeebies (as well it should), then be far more restrictive in
what you allow in /etc/sudoers. After all, if you're just going to allow
complete access with "sudo", you might as well just use "su".

Stephen Touset <stephen@touset.org>

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: