security issue of Linux sudo command?

linux security permissions sudo
11,429

Solution 1

It is not a security hole, at least no more than su is.

sudo is just of way for an administrator for having a quick root access without using a root shell (which can be dangerous).

sudo just requires the user to enter his own password and will indeed give him root access (try $ sudo whoami). However, not everyone should be in the /etc/sudoers file.

If you take a look at sudo manpage, you'll find how to limit sudo to some simple commands.

You can for instance, only allow the user bob to execute $ sudo poweroff without allowing him to do $ sudo cat /etc/shadow.

So no, it's not a security hole if you configure and use it correctly. If you don't want your users to have a root shell, think of forbidding commands like $ sudo su.

Solution 2

If it were a security hole, sudo would have been taken down already. It's intentional, you can configure it to require the user's password, the root's password or no password at all..

Because only the root can configure it anyways, there's no security hole. The root configures who has access to it, who has to put in which password, for each user, for each group.

Also, about the last part: "since users other than root could run with root privilege": That's the whole point of the sudo program.

Solution 3

sudo is secure - secure enough for some distributions (Ubuntu) to use and recommend it by default.

That said, if you give blanket sudo rights to a user it largely removes the separation you have between that account and a root account. If you give blanket sudo rights to user timmy, for example, the timmy account becomes as privileged as the root account. Anyone who breaks into timmy's account can do anything as root (in most cases, timmy's password is needed).

Pro-sudo arguments

  • Usually set up so that nobody can log in as the user called "root". Can make it harder to brute-force a superuser login.
  • You can have fine-grained control over which commands a user can execute as superuser (though usually you'd give all privileges to one account, which effectively serves the same role as "root" with a different name).
  • Removes the temptation to just stay logged in as root, when not all commands you run need superuser privileges.

Anti-sudo arguments

  • sudo might be seen to encourage the practice of handing out superuser-level privileges to users, which is probably not a good idea.
  • sudo is a little more complicated to set up because it is so flexible. While this allows you to make it nice and secure, it can also make it easier to inadvertently open up security gaps if you're not careful or don't understand what you're doing.
  • It can be seen as a bad idea in general to use an account with superuser privileges for everyday use, and having sudo privileges is the next best thing. A counter-argument to this is that the your user password is (in most cases) still required to elevate to superuser status, and this is not likely to be known to intruders/errant processes running as you.

Essentially they are just two different schools of thought, both valid enough to have whole distributions backing their own approach.

I'm more comfortable with the non-sudo approach, mainly because that's what I'm more familiar with as a Debian user. I find the simplicity of having a root account over the flexibility of sudo wins for me. I don't allow root login remotely (ie via SSH) and I recommend that nobody else should, either.

Solution 4

sudo is secure because:

  1. a root user, or another sudo-enabled user (who can run 'visudo' or '$EDITOR /etc/sudoers') has to modify /etc/sudoers to grant the privileges.

  2. You can restrict and specify exactly what a person can run with root privileges, which makes it possible to have varying levels of admin users on a server.

  3. As a privileged user you can view the existing /etc/sudoers file, to see which users have permissions.

  4. You don't have to share the root password amongst a team of administrators.

  5. There is full accounting of what is done with the sudo command, providing a clear audit trail

Solution 5

I think it's better for security than being logged in as root, as there isn't convenient to do things as root. It's certainly better for accountability, which is part of security.

You do have to restrict who would use it. Typically, you limit it to people who would know the root password anyway, although it's possible to get fancier and limit what specific people can do.

The security issue that bothers me is that it is not necessary to enter my password for every sudo command; if I enter another few from the same terminal without much time elapsing, it accepts the sudo without the password. This is presumably to avoid making me continuously entering my password, but it's conceivable that some bad-guy userland software could exploit that. I don't know enough to evaluate the risk, personally.

Share:
11,429

Related videos on Youtube

George2
Author by

George2

Updated on September 17, 2022

Comments

  • George2
    George2 over 1 year

    1. I am using a Red Hat Enterprise 5 Linux box. I find if a user is in /etc/sudoers file, then if the user run command with sudo, the user will run this command with root privilege (without knowing root password, the user runs sudo only need to input the user's own password in order to run a command with sudo). Is that correct understanding?

      1. If yes, then is it a security hole? Since users other than root could run with root privilege?

    thanks in advance, George

    • balaji
      balaji almost 14 years
      Just beware: if you allow a user to run as root a command that can run other commands (i.e. bash), he'll just be root. If you allow to run as root commands that write arbitrary files, he'll be root anyway.
    • galaxy
      galaxy almost 9 years
      There are multiple issues with using "sudo" on a system - one of them is that using sudo violates the principles of IT security - you should not be able to escalate privileges. I wrote an article re: the issues with sudo if anyone is interested: dmitry.khlebnikov.net/2015/07/…
  • George2
    George2 almost 14 years
    You mean all users in sudoers file is admin?
  • ereOn
    ereOn almost 14 years
    @George2: Yes and no. All users that appear in sudoers (or belong to groups that are listed in sudoers) can use sudo. As I said, you can restrict the commands they might sudo. In short: All users that need to execute at least one command with elevated privileges should be in /etc/sudoers. Whether these people are call admins or not is up to you ;)
  • ereOn
    ereOn almost 14 years
    @George2: If a hacker has a root access to your server (using sudo or anything else, it doesn't matter) it is game over already anyway.
  • Atulmaharaj
    Atulmaharaj almost 14 years
    Sudo is very configurable, so it's easy to reduce the timeout for remembering the password. Just edit the /etc/sudoers file and modify the Defaults line to look for example like this for a 2 minute timeout: Defaults env_reset,timestamp_timeout=2
  • Atulmaharaj
    Atulmaharaj almost 14 years
    If a hacker gets the password of a user that has full sudo privileges, then they can become root. Therefore, only give sudo privileges to users who you trust to handle their account securely. For example, we only allow sudo for admins who use certificates to login.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

fine-grained sudoers configuration (allowed commandline arguments)
How to run IntelliJ IDEA as a dedicated system user?
Sudo is also user login password - why? how to change?
How do I allow a user to only run the apt-get update command with sudo?
adding local content in /etc/sudoers.d/ instead of directly modifying sodoers file via visudo
Allow a specific user or group root access without password to /bin/date
nagios nrpe plugin: permission issue
why operation not permitted when kill a nonexistent process and why need to be killed with sudo
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
How to grant access permission on network interface?