[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Emergency mode when root account locked

On Sb, 12 dec 20, 22:53:41, Keith Bainbridge wrote:
> On 12/12/20 7:29 pm, Andrei POPESCU wrote:
> > > AND run sudo as root, for additional safety
> > Is this supposed to be ironic? I really can't tell.
> There was a detailed discussion here about sudo being a security issue
> on our systems. It appears to be default in debian 10, so most of us get
> it as default. I looked at replacing sudo.
> I found an article that explained how to strengthen it by forcing sudo
> to require root password.
To my non-native understanding of English "run foo as root" usually 
means one first gains root privileges (by whatever means) and then runs 
that program with the elevated privileges.

In the context of the text you were replying to it seemed to me you 
might just be ironic (though admittedly I did also consider you might be 
referring to the 'targetpw' option in 'sudoers').

> If somebody breaks in, they now need my root password to execute
> commands that require root permissions (except a couple that I have
> given nopasswd privilege).

If a user's normal account is compromised most of what matters is 
already compromised as well. The root access is just icing on the cake 
and can be easily obtained with a keylogger (which an attacker would 
need anyway for the all the other goodies).


Otherwise a probably quite simple 'sudo' script[1] in ~/.local/bin 
should do the trick as well: present a password prompt, save the 
password somewhere safe, pretend to fail and then call the real 

After all, how many users are calling 'sudo' with the full path?

Instead I would suggest admin tasks should be performed from a dedicated 
*normal* account, using sudo just for those commands that require 
elevated privileges.

This provides some additional security, while also being slightly safer 
from accidental mistakes than logging in as root directly.

[2] which by default is added to $PATH on Debian.
[1] If I'm bored enough I might just write such a script myself.
[3] and maybe deletes itself to remove traces

Kind regards,

Attachment: signature.asc
Description: PGP signature

Reply to: