Sudo vs. Root 327
lessthan0 writes "In Mac OS X, the root account is disabled by default. The first user account created is added to the admin group and that user can use the sudo command to execute other commands as root. The conventional wisdom is that sudo is the most secure way to run root commands, but a closer look reveals a picture that is not so clear." The article is about OSX but the debate is a little older ;)
Re:Layered Security (Score:5, Insightful)
Sudo is only useful when there are lots of admins (Score:5, Insightful)
For a single-user system, sudo is pointless. Nearly everyone is just going to sudo into a shell to do anything where root is needed on their own personal box anyway.
Old news and Poorly written (Score:2, Insightful)
Must be a slow day for news for nerds. More like news for noobs
Use sudo to revoke root from a single user (Score:5, Insightful)
But when you share a root account, revoking privilege from a single admin means that every remaining admin has to learn a new password.
Problem with both sudo and Root (Score:4, Insightful)
Don't know any way of solving this except for training though. Or possibly making it IMPOSSIBLE to do certain tasks. But that no good solution.
No it's not a mystery (Score:5, Insightful)
All that is in bash history for the root user. And anyone who knows how to clean that can clean the log as well.
Sudo more secure? (Score:2, Insightful)
I'm just a part time sysadmin, so I don't know the nitty gritty, but it was beat into my head to use sudo instead of root simply so that I wouldn't "forget" I was in root and do something stupid...
There is no reason (usually) to be logged in as root, and that anything I need to do as root I could do using sudo. It seems to me that you hack with sudo just as easily as with root...
Re:Messed up sudoers (Score:3, Insightful)
Re:Messed up sudoers (Score:5, Insightful)
Yes, this is the voice of experience with breaking just about everything at some point or another - it's how you learn. Well, it's one way *I* learn, anyway.
Re:Good Advice (Score:3, Insightful)
Personally, I also like the ability to go back through the logs and see what I've done...
-Dom
Re:Messed up sudoers (Score:4, Insightful)
And in other news, opticians around the globe are surprised to find that hindsight is always 20/20.
Old, but valid news (Score:3, Insightful)
I don't use much OS X but I do use Linux quite abit. When I set up my machines, of course I use root access, lazy heck no. I have hordes of little tweaks and such to perform, packages to install, things to edit and permissions to set. If I had to use sudo, my first command would be to open a root bash shell. As for security, a new system it not accessible to the outside, thats it. After a system is up and running, I tighten things up.
First thing, as mentioned, is to disable root access by ssh. Of course, use public keys instead of passwords where possible. However why not go a simple step further, and the article missed that. Most of my accounts, and certainly all those accessible with ssh don't even need the privileges to use sudo or su to root at all. In fact in most cases my externally accessible shell accounts have a very limited set of commands they can run, simply because shell access is so insecure to begin with (hello gcc under remote shell users). I feel that this is clean and efficient and not a real pain to setup.
If you are paranoid and want a 2nd password for "root" access, use such a limited user for all users, then make a second account that may use sudo or root and log the heck out of it. Make each prospective admin su to that first. in the end, its only how much security is reasonable that wins. if you need more unplug the box and lock the thing up in a closet to prevent physical access by lock key, this too can be broken...
When a pack of wolves hunt a herd of sheep, as a sheep you need not out run the wolves to be safe, only the slower sheep. These slower sheep (aka windows) are generally quite abit slower these days than you (OS X). However, this all depends on the number of wolves you keep (or allow) on your netoworks... If you can't generally trust your users you have other problems.
Pretty Tenuous Argument (Score:5, Insightful)
In related news, I am so tired of all of these non-news blog entries that keep being put on Slashdot. Give me real news from a reliable source, not some no-name idiot that has no clue what he is talking about. Seriously, we need some sort of blog tag that allows us to immediately identify blog articles and appropriately ignore them.
Re:Sudo is only useful when there are lots of admi (Score:2, Insightful)
Re:Oh, great! (ways around) (Score:5, Insightful)
Try the following: However, that's not going to stop joe user from copying bash over to
Sudo insecure if same account used for email (Score:5, Insightful)
So basically their password gets sent openly when they login via POP to check their email. Anyone with a sniffer can get their password, login, and have full sudo access.
Now that's great security for ya.
That's why when I install a distro like Ubuntu that defaults to using sudo I always make the first account a dedicated admin account. Which sort of raises the question of why not just use "root" in the first place...
Re:Oh, great! (Score:5, Insightful)
Re:2 passwords instead of 1 (Score:5, Insightful)
Firstly, asking for a root password has no effect on the security of the system. A cracker does not have to crack an extra password. Once your user account has been cracked, if you know the root password and use su (or sudo or whatever), then at some point you are going to login and do that. Unfortunately, the cracker knows your user password - your
This can be solved, with some form of secured authentication path (like a smartcard device, which can't be trojaned using the user's password, and there are also ways to do this without needing extra hardware). sudo supports stuff like that, if you know what you're doing. But simply asking for a second password, in an application running in the terminal, is no more than a speed bump. It's not the second layer of security that it looks like it should be. Anything you type into the terminal is compromised once an attacker has your user password.
Secondly, shared passwords are bad security. You can't easily change them - it has to be arranged between several people. You have to pass the secret between at least two people on at least one occasion, and somebody else can overhear when you do that. People tend to be less careful about information that is known to several people. If the secret leaks out, there's no easy way to trace who leaked it. There's all sorts of issues with shared passwords. If you really wanted a second password, you should have one 'root' password for every user who has root access (Kerberos systems allow for this scenario, because a Kerberos environment can have secure authentication paths; sudo and su don't, although you could have one 'login' password and one 'sudo' password by creative use of PAM, but you have to tackle the authentication path issue first).
Thirdly, the point of sudo asking for the user password is to authenticate that the user currently sitting in front of the computer is the same user that logged in at some point in the past. Users are forgetful; they walk away from their console to get coffee without locking it. sudo attempts to verify that the user currently sitting there is probably the right one, and not somebody else who snuck into their office. If you have sudo ask for a single shared root password, then one of the other users with root access could use somebody else's account, and would appear in the logs as that user. That means they deflect blame for their actions onto somebody else. If you really wanted to have a second password with a shared root password, you should ask for both the user and the root password.
You could argue that a user with root access can always just clean the logs afterwards - but this is not necessarily true. A system can be configured so that syslog immediately sends every message over the network to another host. sudo deliberately sends the message to syslog before running the command, so that this scenario remains secure. The user could immediately disable this configuration, but they can't stop that first message from going out, saying who they are and when they logged in. (We will assume that this scenario involves ssh access to a server located in a locked datacentre, so there is no opportunity to interfere with the physical network connection).
sudo's way of doing things really does have security advantages. It may be true that these advantages aren't relevant to the default macosx configuration, but that does not mean they don't exist. However, using a single root password, like the article author suggests, does not have security advantages over the default behaviour (see the first point in this post). And the default behaviour is more convinient for users (who only have to remember one password instead of two), which is almost certainly why Apple set it up that way. The article ignored this aspect.
Re:MUCH MUCH Much better solution (Score:5, Insightful)
Just pick a good damned password.
Seriously. Nobody really cracks passwords anymore. Sure there are the ubiquitous SSH scans on the net looking for just insanely stupid passwords. Pick a good password and move on.
Firstly... any security discussion that starts with "what if they have your password" is flawed. They shouldn't have your password, if you let it go, or its THAT easy to guess.... then your security is broken right from the start and there is nothing you can do YOU ARE FUCKED.
I worked at a place that did sudo for root passwords, and I thought it was one of the god damned stupidest things ever. The ONLY benefit of it, was that it forced us to figure out how to make secure passwords for root that people could easily memorize and taught us all to use mnemonics. That was seriously the ONLY benefit.
Basically if you log in locally, or use ssh for everything, then your password never goes out in clear text. If you worry about ssh, then fine... use key authentication, then your password never gets used for anything but sudo.
Basically.... this is a totally fake issue. If someone has your user account password, you are just screwed. They can trojan your entire environment such that the chances that you will EVER notice is minimal, and then they will just get the root password the very next time you sudo.
Bottom line... protect your password... your security depends on it.
-Steve
Better kill your scripting languages then, too. (Score:4, Insightful)
Re:untrue (Score:3, Insightful)
And consider the zillions of applications which use your username. Do they get it from /etc/passwd (which would be wrong) or do they get it from $USER (which could also be maliciously set wrong)?
Having multiple users sharing a UID is an administrative disaster.
Re:Oh, great! (Score:3, Insightful)
Okay, wrong. Sudo still involves a password. Only allowed "sudoers" are able to run sudo, and they are prompted for a password. Sudo, in my humble experience, actually is more secure simple because of human nature. And here's why:
1) In distributions that expect you to use root, users tend to leave a terminal logged into root all the time. With sudo, there's an automatic timeout. If you walk away from the computer, the root permission gets locked.
2) Each command that needs to be run as root must indivually prephased with "sudo". So, users naturally tend to only run things as root that really need to be run as root. Without sudo, users keep a terminal logged in as root, and run a series of commands in that terminal, many of which didn't need root access (ala, someone coming into an irc channel as root).
3) Multiple admins on the same system aren't sharing a password.
4) Sudo can log who ran what commands. When someone screws something up logged in as root, there's no way to know who it was on a multi-admin system.
Re:MUCH MUCH Much better solution (Score:2, Insightful)
As I said before, nobody except security auditors really crack passwords anymore.
That said, its really not that hard to come up with a pretty acceptable and memorable password.
I like to take a song lyric or other phrase of about 8 words. Then take either the first letter of each word to start. For some words, I will choose a symbol other than the first letter, like "and" could become & or +
Then I pick out words to capitalise, or replace with l33tspeak numbers etc.
by the time I am done, I have a fairly nasty looking string that maps easily in one direction back to a phrase. Write it down, say the phrase while you use the password.
By about the 5th time, I can burn the paper copy.
For example, I will make one up right now....
password - mnemonic
4eIwMo^n - for example I will make one up now
I once, and I only admit this because I know that every system that has used this password has since had it changed several times.... I once used lyrics from "the song that does not end".... sadly it wasn't in use long enough to break the brains of anyone else in the office.
-Steve
Re:Oh, great! (ways around) (Score:2, Insightful)