Do people work under the assumption that sudo is meant to protect against malicious actors? I always considered it an administrative tool to differentiate between authorized users and administrators. You can, for example, limit a user to only running `sudo service` so they can log in an restart a service, but not make any other changes.
I thought the general strategy was to not give daemon accounts shell access at all. Getting shell access is the hard part for a malicious actor. Once you have shell, root access is just a matter of finding a piece of unpatched software with a privilege escalation exploit out there. Plus, there's still a lot of damage you can do without root access.
>Do people work under the assumption that sudo is meant to protect against malicious actors?
I wonder if it comes from having a windows mindset and the way windows screams at you about unauthorized software and forces you to use an administrator password for random arbitrary things while saying it's for your protection. With windows background as a single user operating system, heavily targetted by malware this makes sense.
Then they come onto linux, find out they need to use sudo to install things from package managers or access files in the root directory and immediately that protecting themselves mindset comes into play. However, taking into account Linux's background as a multi-user operating system, this mindset makes less sense as the tools while working similarly at a shallow level, were designed for totally.different purposes.
>Plus, there's still a lot of damage you can do without root access.
That's not really true. An unprivileged user shouldn't be able to take down a production system, or really adversely effect other users. Assuming you have disk quotas enabled, what else could an unprivileged user do?
> I always considered it an administrative tool to differentiate between authorized users and administrators.
For that you could just do
alias sudo=su -c
if you want the admin (root) password to be different from the user (authorized users) password.
I suppose the main advantage of sudo is it gives you more granular control over which commands are allowed and which aren't. For example if you're building a robot, you can allow the robot's process access to /sbin/shutdown to be able to restart the system on remote command (or lack of remote command).
> The only purpose of sudo is to protect you from yourself, that is, to avoid messing up your system by mistake.
This is one reason I increasingly don't like the normal Linux distro "system packages, plus everything else under the sun, with one interface and all co-mingled" default package management solution. I big fat "update the system" (or don't) button with my user-installed packages totally separate, as I get with macOS, is nicer. This made worse because, unless you're self-managing the base system and keeping it super minimal (as one might in Gentoo, Arch, or Void) Linux installations are weirdly fragile, I think in part because of this too-large package ecosystem all tied up with the "core" of the OS.
Especially on a single-user system, I should be able to install most software without escalating privileges. I should be able to blanket-update my user-facing software without any risk whatsoever that a kernel update will get thrown in with that (even if I don't read over the list to check—it shouldn't even be possible), nor with privileges to perform such even if it somehow did try to sneak in. I ought to be able to delete the directory with my user-installed packages and the system still boots with no errors or warnings—and yes, with a GUI and audio and networking and all that still working.
I know Nix and even a Homebrew port (with worse package availability, though) are options for achieving something kinda like this but it still feels like swimming against the current.
"user-installed packages totally separate" from the system is more or less how the BSDs work. OpenBSD provides user packages via pkg_add and pkg_delete, and the system updates with syspatch/sysupgrade. FreeBSD uses pkg update/pkg upgrade for user-installed packages, and freebsd-update for system updates. Maybe you'd like those systems better.
There's Fedora Silverblue [1] too. It's immutable so every installation is identical to every other installation of the same version. And then you install your Flatpaks isolated from the rest of the system on top of that.
> I big fat "update the system" (or don't) button with my user-installed packages totally separate, as I get with macOS, is nicer.
Today we live in the land of plenty. Computer hardware is so cheap, it's practical to put together a respectable lab with gear literally pulled out of a dumpster. The reason Windows and Mac OSes have a sharper line between system software and user software is because modern advances have made computer cheap enough that not only does almost everyone have their own personal computer, almost everybody has more than one. As a result, Windows and Mac have always been mostly single-user systems. Yes, yes, they support having multiple _accounts_ but usually by one person at a time, which limits the number of accounts (as a practical matter) to a handful at best.
All of the major Linux distributions were designed in a time where large multi-user systems were the norm. Disk space was limited, memory was small, CPU cycles were few. Unix (and hence Linux) was designed to make efficient use of these limited resources by installing popular software system-wide with shared dynamically-linked libraries because that was the only way to even _fit_ a few hundred users on one system. As a sysadmin, I get cold sweats thinking about what would have happened if every user wanted their own personal copy of Emacs on such a system.
> Especially on a single-user system, I should be able to install most software without escalating privileges.
I do believe you can, see Snaps and Flatpak. These run on just about everything. But there is a steep price: user-isolated applications can take an order of magnitude more disk space and significantly more memory compared to OS-built packages, see https://www.reddit.com/r/pop_os/comments/gia8s1/flatpak_pack...
If you're looking for a Linux distro that behaves more like Windows and Mac, you're in luck because Ubuntu is hurtling themselves in that direction as quickly as they can by making snaps compulsory on every desktop install.
> I should be able to blanket-update my user-facing software without any risk whatsoever that a kernel update will get thrown in
So, I think you have it backwards. Kernel updates generally contain important security or bug fixes and you absolutely _should_ be installing those and rebooting _well_ before even acknowledging the existence of your userland apps.
yes and no. there is a benefit in having user applications installed as root or as some other system user. they can't be exploited by malicious software that runs with user privileges.
Sudo serves one purpose well: for admin users to become root with an audit trail.
Why in 2020 do we still have non admin users on a host? Services! I still have non-admin users on my hosts for www, databases, etc.
Without sudo, the alternative would be for ssh to PermitRootLogin which is theoretically safe if root has a strong password etc, but in practice — should there ever be a bug in openssh that exploits permissive root logins — would needlessly expose systems to such a bug.
the problem with sudo is that it requires a password. on servers i use ssh keys to log in. i want that audit trail too, but either i set up sudo without a password, or i have to manage a user password as well. on some systems i thought to use ssh locally with a key, but then i need PermitRootLogin which doesn't distinguish between local and remote logins.
The stack exchange post is asking specifically for Desktop users.
But for shared linux servers, sudo is very useful. It allows controlling which users are allowed to administer the system. (Generally, people who aren't sudoers can only view log files or do other readonly things). It's much better than letting people login as root directly since it keeps an audit trail of who is actually administering the device (they will show up using the `users` command, for example).
I rarely use sudo to do any fine-grained access control - it's almost always an all-or-nothing configuration - specific users are granted full access (with passwords), and everybody else gets none. I suppose this means that I use only 5% of it's functionality, but this 5% is quite useful.
Sudo provides access control for root access, it's definitely not useless. Sudo allows for logging and locking of root actions. Those settings can be configured irresponsibly and lead to compromise for sure, but the main purpose is creating a sense of order to who can access what protected resources. Without sudo (or doas, or something like that), you're just running su whenever you want without real access control. For a timeshared system with a lot of users, handing out root in this fashion is especially irresponsible.
If a malicious sudoer has access to basically any system utility that takes a filename, and the filenames are not explicitly enumerated in sudoers, you're owned. The only way your claim here really holds is if you're limited to very specific pre-defined scripts with limited degrees of freedom in their arguments.
That is a fine thing to do. But when your operational processes are that structured, you're more likely to be doing code-reviewed changes to a configuration management repo, poking the API of a cluster scheduler, running playbooks in Ansible Tower or Jenkins, or something else that doesn't involve personal shell access.
The most important feature of sudo isn't what it does, but what it doesn't do.
What it doesn't do is run everything with root permissions giving every process you run access to the entire filesystem, which is what you would be doing without it.
sudo is great for phishing. If I want to take over a system, I just need the users password. Given that sudo is almost never set up correctly and is unrestricted to anyone allowed to use it, I just send a script that requires sudo, capture the password, then relay the password in a DNS request back to myself. All in good red teaming fun, of course.
Can you expand a bit on the type of scripts/scenario you'd use for something like this? I presume the email + script would need to be something legitimate enough looking as to not raise any red flags during a glance over, with built in assurances you aren't causing any real harm against the target, and then properly configuring the script (or downstream actions) to then get exfil'd. Very interesting nonetheless.
Our teams do not use sudo primarily to gain root privileges. We use `sudo sh` to switch contexts to a non-root user with different privileges. This allows us to modify web application code in the security context that it executes in (lower privilege).
Occasionally we do need to access system level resources, and `sudo` allows us to do this in a way that forces us to acknowledge that we are doing something more dangerous. However, we prefer using automation tools such as Chef to accomplish those things in a measured, repeatable way.
I work in a mixed environment of both Windows and Linux and in my opinion sudo is very similar to Windows UAC and local admin rights. In that, you can give someone access to a computer without sudo or local admin rights and they won't be able to make any system-wide changes. But for someone who does have sudo or local admin rights, then it's just a safeguard that should hopefully make the user think twice before escalating their privileges.
If a Windows user is tricked into downloading some malware, and runs it by using their local admin rights to bypass the UAC prompt, then the system is owned. I believe this is the same risk with sudo, although the hope is that the extra authentication prompt gives the user the opportunity to re-evaluate whether or not they want to run the command as a privileged user.
1. There's value in sudo (or su, or ssh root@localhost, or whatever alternative you like to logging in directly as root) as a safety measure, which is different from a security measure. Not having a paper towel holder wall-mounted above your stove is a great idea to prevent accidental fires, but it's completely irrelevant to stopping an arsonist. It's worth distinguishing these two cases.
2. sudo can be used for both running a limited set of commands and for running an unrestricted set of commands. These are also two different cases. It's a bit tricky to ensure your limited set of commands are secure (you need to make sure none of the commands allow you to run unconstrained commands in turn), but if you do it, that is a meaningful security limit compared to giving a user account unrestricted sudo or running that code as root. This isn't usually relevant for typical desktop systems, but if you're looking at designing some more involved deployment, it's relevant.
3. For a multi-server deployment with a team of sysadmins, the question isn't really about sudo vs. su vs. ssh as root - the question is about the chain of accounts between a sysadmin's keyboard and their privileged shell. If you can come up with a design where the account that they can use (directly or indirectly) to log into root is more highly trusted than their everyday account (the one they use for downloading software from the web and trying it out, running code written by other people in the company, etc.), then there's a meaningful benefit. There's a lot of ways to do that. One is to allow them to log in from their workstation's account to both a privileged sysadmin account with sudo and an unprivileged everyday one, and they do their work logged in elsewhere with the unprivileged account. One is to allow them to log in from their workstation's account directly to root, or to an unprivileged everyday account - it's weaker in terms of auditing but it has the same security properties as the previous solution. One is to set up multiple local accounts on their workstation, one privileged and one not, so they can work locally with their unprivileged account. The important bit is that the unprivileged account can't escalate to the privileged one. It doesn't matter if it does so with sudo or with su or with ssh or whatever, all of those can be used to escalate privileges.
If you really want, you can apply the scheme above to your desktop system. Make two accounts, have one be an admin account and one not. If you're installing drivers etc. switch to the admin account, but otherwise work in the non-admin account. If the non-admin account gets broken into, you can reliably use the admin account to wipe it and restore from a known-clean backup. That's generally annoying in practice, though.
It's definitely a design flaw that sudo doesn't use a secure attention key, and because of that, it adds no security at all in its normal configuration. But implementing that is probably impossible given the Linux desktop's lack of overarching design, and the fact that nobody cares about it (even a basic login doesn't have a SAK; Windows had that back in Windows 2000).
I'm pretty sure X doesn't support SAKs at all - any program can intercept any keystrokes. Maybe Wayland does, but then you somehow need to integrate your sudo binary with Wayland. And good luck getting that to work over SSH.
Security is about trade offs. Talking about absolutes makes barely sense in this context, because any perfectly secure system is also perfectly useless.
Despite the chosen solution on SO - and from how the question is stated, it is clear that the asker only wanted confirmation -, sudo has its uses, even if is not perfectly secure (especially with the default configuration).
I suggest a more sensible approach for all security-related discussions: All systems have vulnerabilities, but some improve your security posture.
One thing sudo does is prevent a local app takeover from completely owning your system. In particular, it can prevent a ransomware type attack from being able to touch your backups and makes it more difficult for the attackers to leave a persistent trojan in your system, especially the kind that can survive a reformat/reinstall or one that sniffs your network traffic.
To each their own, but in my experience, both professionally and personally, I find `sudo` to be mostly useless, and an annoyance at best (which can be good for some people, just not me). My typical use-case for `sudo` is: do X, oh, I need sudo permissions, sudo !!.
Any time I'm on Linux, I usually operate as root to avoid this annoyance and I put more weight into securing the machine in other ways - IP restrictions, cycling keys, cycling the servers, etc.
Sudo can prevent rookie mistakes, like wiping an OS or removing certain directories, but I consider most machines I work on to be ephemeral anyways, and anytime I make one of these mistakes it is a reminder to not do that next time - I prefer this to being hand-held and denied access superficially.
Oddly though, I do like that `sudo` exists in its current form, for people who are not as experienced. For me personally, I almost never interact with it.
Here's my question: should we just give up on using Unix permissions (or ACLs) for access control, and just containerize everything to limit access? That seems to be where things are headed.
sudo does what it is supposed to do - run commands as a specific user. Without entering password every time you run a command (because of caching). Depending on parameters it will also evaluate some parameters for that user.
If you don't have particular use for it, just don't use it.
[+] [-] mywittyname|5 years ago|reply
I thought the general strategy was to not give daemon accounts shell access at all. Getting shell access is the hard part for a malicious actor. Once you have shell, root access is just a matter of finding a piece of unpatched software with a privilege escalation exploit out there. Plus, there's still a lot of damage you can do without root access.
[+] [-] grawprog|5 years ago|reply
I wonder if it comes from having a windows mindset and the way windows screams at you about unauthorized software and forces you to use an administrator password for random arbitrary things while saying it's for your protection. With windows background as a single user operating system, heavily targetted by malware this makes sense.
Then they come onto linux, find out they need to use sudo to install things from package managers or access files in the root directory and immediately that protecting themselves mindset comes into play. However, taking into account Linux's background as a multi-user operating system, this mindset makes less sense as the tools while working similarly at a shallow level, were designed for totally.different purposes.
[+] [-] parliament32|5 years ago|reply
That's not really true. An unprivileged user shouldn't be able to take down a production system, or really adversely effect other users. Assuming you have disk quotas enabled, what else could an unprivileged user do?
[+] [-] nix23|5 years ago|reply
>only running `sudo service` so they can log in an restart a service, but not make any other changes
So you think too, its a security measure?
[+] [-] dheera|5 years ago|reply
For that you could just do
if you want the admin (root) password to be different from the user (authorized users) password.I suppose the main advantage of sudo is it gives you more granular control over which commands are allowed and which aren't. For example if you're building a robot, you can allow the robot's process access to /sbin/shutdown to be able to restart the system on remote command (or lack of remote command).
[+] [-] AndrewKemendo|5 years ago|reply
[+] [-] m463|5 years ago|reply
[+] [-] dTal|5 years ago|reply
[+] [-] karatestomp|5 years ago|reply
This is one reason I increasingly don't like the normal Linux distro "system packages, plus everything else under the sun, with one interface and all co-mingled" default package management solution. I big fat "update the system" (or don't) button with my user-installed packages totally separate, as I get with macOS, is nicer. This made worse because, unless you're self-managing the base system and keeping it super minimal (as one might in Gentoo, Arch, or Void) Linux installations are weirdly fragile, I think in part because of this too-large package ecosystem all tied up with the "core" of the OS.
Especially on a single-user system, I should be able to install most software without escalating privileges. I should be able to blanket-update my user-facing software without any risk whatsoever that a kernel update will get thrown in with that (even if I don't read over the list to check—it shouldn't even be possible), nor with privileges to perform such even if it somehow did try to sneak in. I ought to be able to delete the directory with my user-installed packages and the system still boots with no errors or warnings—and yes, with a GUI and audio and networking and all that still working.
I know Nix and even a Homebrew port (with worse package availability, though) are options for achieving something kinda like this but it still feels like swimming against the current.
[+] [-] elagost|5 years ago|reply
[+] [-] dependenttypes|5 years ago|reply
And have to update each software package manually as in windows/macos? (even worse, have a backdoor updater build-in on packages)
> I should be able to blanket-update my user-facing software without any risk whatsoever that a kernel update will get thrown in with that
But why? Any and all security updates should be installed as soon as possible, regardless if it is a kernel update or a browser update.
[+] [-] markosaric|5 years ago|reply
[1]: https://silverblue.fedoraproject.org/
[+] [-] bityard|5 years ago|reply
Today we live in the land of plenty. Computer hardware is so cheap, it's practical to put together a respectable lab with gear literally pulled out of a dumpster. The reason Windows and Mac OSes have a sharper line between system software and user software is because modern advances have made computer cheap enough that not only does almost everyone have their own personal computer, almost everybody has more than one. As a result, Windows and Mac have always been mostly single-user systems. Yes, yes, they support having multiple _accounts_ but usually by one person at a time, which limits the number of accounts (as a practical matter) to a handful at best.
All of the major Linux distributions were designed in a time where large multi-user systems were the norm. Disk space was limited, memory was small, CPU cycles were few. Unix (and hence Linux) was designed to make efficient use of these limited resources by installing popular software system-wide with shared dynamically-linked libraries because that was the only way to even _fit_ a few hundred users on one system. As a sysadmin, I get cold sweats thinking about what would have happened if every user wanted their own personal copy of Emacs on such a system.
> Especially on a single-user system, I should be able to install most software without escalating privileges.
I do believe you can, see Snaps and Flatpak. These run on just about everything. But there is a steep price: user-isolated applications can take an order of magnitude more disk space and significantly more memory compared to OS-built packages, see https://www.reddit.com/r/pop_os/comments/gia8s1/flatpak_pack...
If you're looking for a Linux distro that behaves more like Windows and Mac, you're in luck because Ubuntu is hurtling themselves in that direction as quickly as they can by making snaps compulsory on every desktop install.
> I should be able to blanket-update my user-facing software without any risk whatsoever that a kernel update will get thrown in
So, I think you have it backwards. Kernel updates generally contain important security or bug fixes and you absolutely _should_ be installing those and rebooting _well_ before even acknowledging the existence of your userland apps.
[+] [-] em-bee|5 years ago|reply
[+] [-] gorgoiler|5 years ago|reply
Why in 2020 do we still have non admin users on a host? Services! I still have non-admin users on my hosts for www, databases, etc.
Without sudo, the alternative would be for ssh to PermitRootLogin which is theoretically safe if root has a strong password etc, but in practice — should there ever be a bug in openssh that exploits permissive root logins — would needlessly expose systems to such a bug.
[+] [-] em-bee|5 years ago|reply
[+] [-] zeroimpl|5 years ago|reply
But for shared linux servers, sudo is very useful. It allows controlling which users are allowed to administer the system. (Generally, people who aren't sudoers can only view log files or do other readonly things). It's much better than letting people login as root directly since it keeps an audit trail of who is actually administering the device (they will show up using the `users` command, for example).
I rarely use sudo to do any fine-grained access control - it's almost always an all-or-nothing configuration - specific users are granted full access (with passwords), and everybody else gets none. I suppose this means that I use only 5% of it's functionality, but this 5% is quite useful.
[+] [-] millstone|5 years ago|reply
[+] [-] easterncalculus|5 years ago|reply
[+] [-] closeparen|5 years ago|reply
That is a fine thing to do. But when your operational processes are that structured, you're more likely to be doing code-reviewed changes to a configuration management repo, poking the API of a cluster scheduler, running playbooks in Ansible Tower or Jenkins, or something else that doesn't involve personal shell access.
[+] [-] RIMR|5 years ago|reply
What it doesn't do is run everything with root permissions giving every process you run access to the entire filesystem, which is what you would be doing without it.
[+] [-] icedchai|5 years ago|reply
[+] [-] LinuxBender|5 years ago|reply
[+] [-] thricegr8|5 years ago|reply
[+] [-] Jnr|5 years ago|reply
If they do, then it doesn't matter if it uses/fakes sudo, or not. They have some bigger problems.
[+] [-] rmrfstar|5 years ago|reply
[+] [-] sojsurf|5 years ago|reply
Occasionally we do need to access system level resources, and `sudo` allows us to do this in a way that forces us to acknowledge that we are doing something more dangerous. However, we prefer using automation tools such as Chef to accomplish those things in a measured, repeatable way.
[+] [-] amanzi|5 years ago|reply
If a Windows user is tricked into downloading some malware, and runs it by using their local admin rights to bypass the UAC prompt, then the system is owned. I believe this is the same risk with sudo, although the hope is that the extra authentication prompt gives the user the opportunity to re-evaluate whether or not they want to run the command as a privileged user.
[+] [-] geofft|5 years ago|reply
2. sudo can be used for both running a limited set of commands and for running an unrestricted set of commands. These are also two different cases. It's a bit tricky to ensure your limited set of commands are secure (you need to make sure none of the commands allow you to run unconstrained commands in turn), but if you do it, that is a meaningful security limit compared to giving a user account unrestricted sudo or running that code as root. This isn't usually relevant for typical desktop systems, but if you're looking at designing some more involved deployment, it's relevant.
3. For a multi-server deployment with a team of sysadmins, the question isn't really about sudo vs. su vs. ssh as root - the question is about the chain of accounts between a sysadmin's keyboard and their privileged shell. If you can come up with a design where the account that they can use (directly or indirectly) to log into root is more highly trusted than their everyday account (the one they use for downloading software from the web and trying it out, running code written by other people in the company, etc.), then there's a meaningful benefit. There's a lot of ways to do that. One is to allow them to log in from their workstation's account to both a privileged sysadmin account with sudo and an unprivileged everyday one, and they do their work logged in elsewhere with the unprivileged account. One is to allow them to log in from their workstation's account directly to root, or to an unprivileged everyday account - it's weaker in terms of auditing but it has the same security properties as the previous solution. One is to set up multiple local accounts on their workstation, one privileged and one not, so they can work locally with their unprivileged account. The important bit is that the unprivileged account can't escalate to the privileged one. It doesn't matter if it does so with sudo or with su or with ssh or whatever, all of those can be used to escalate privileges.
If you really want, you can apply the scheme above to your desktop system. Make two accounts, have one be an admin account and one not. If you're installing drivers etc. switch to the admin account, but otherwise work in the non-admin account. If the non-admin account gets broken into, you can reliably use the admin account to wipe it and restore from a known-clean backup. That's generally annoying in practice, though.
[+] [-] IshKebab|5 years ago|reply
I'm pretty sure X doesn't support SAKs at all - any program can intercept any keystrokes. Maybe Wayland does, but then you somehow need to integrate your sudo binary with Wayland. And good luck getting that to work over SSH.
[+] [-] Discombulator|5 years ago|reply
Despite the chosen solution on SO - and from how the question is stated, it is clear that the asker only wanted confirmation -, sudo has its uses, even if is not perfectly secure (especially with the default configuration).
I suggest a more sensible approach for all security-related discussions: All systems have vulnerabilities, but some improve your security posture.
[+] [-] perryizgr8|5 years ago|reply
[+] [-] jandrese|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] kempbellt|5 years ago|reply
Any time I'm on Linux, I usually operate as root to avoid this annoyance and I put more weight into securing the machine in other ways - IP restrictions, cycling keys, cycling the servers, etc.
Sudo can prevent rookie mistakes, like wiping an OS or removing certain directories, but I consider most machines I work on to be ephemeral anyways, and anytime I make one of these mistakes it is a reminder to not do that next time - I prefer this to being hand-held and denied access superficially.
Oddly though, I do like that `sudo` exists in its current form, for people who are not as experienced. For me personally, I almost never interact with it.
[+] [-] jasonhansel|5 years ago|reply
[+] [-] brodouevencode|5 years ago|reply
[+] [-] Jnr|5 years ago|reply
If you don't have particular use for it, just don't use it.
[+] [-] Koshkin|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] nix23|5 years ago|reply