Slashdot Mirror
Sudo vs. Root
lessthan0 writes "In Mac OS X, the root account is disabled by default. The first user account created is added to the admin group and that user can use the sudo command to execute other commands as root. The conventional wisdom is that sudo is the most secure way to run root commands, but a closer look reveals a picture that is not so clear." The article is about OSX but the debate is a little older ;)
What the article mentions is not really a big problem, since that is more or less what would happen if someone guessed the root password (then they could tamper with anything, including the logs). If the administrator isn't knowledgeable, both sudo or root can get hacked, but this doesn't mean that sudo is worse or has more disadvantages than running as root.
Personally, I prefer sudoing a shell to run as root so I don't have to type the command all the time, but that's just in my home Ubuntu installation which I don't care much about.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
As part of my day to day crap sudo can really help in running remote commands as root without having to login as root. We've got a few things setup which check system settings from a central node and being able to use a non root user, and then just using sudo /file really just helps keep things under control. Also with sudo you can fine tune which commands are allowed to be run. Overall a really nice toy
SolarVPS - Quality Windows and Linux Virtual Servers
This article is good advice for anyone running a unix-like operating system (OSX, Linux, etc). It's not knocking on OSX, just knocking on the default configuration. Sudo is really just a way to allow root access without allowing root logins. The best way to configure it: Root Account with a unique password (not the same as your user account) Sudo requires password to activate (caching is ok, but no automatic access, no keys) Sudo logs all commands Sudo only enabled for specific user accounts Root account has login disabled, ftp/ssh disabled. (using the /usr/bin/false trick mentioned in the article, I use true myself)
I would disagree, in some cases. I like that Ubuntu does things this way, because it's designed for less-experienced users. I often see posts in the forums that list several commands in a row to execute, all preceded by sudo.
Being a more experienced admin, that looks wierd and counterproductive. But here's the nice thing: it keeps users from opening up a root shell and then forgetting they're in that shell, where they could easily wreak havoc. I think that's a good thing.
Me, I pretty much just always type "sudo -i" to do my stuff. But I wouldn't want less experienced users doing that.
I guess most of the things in that article applies to Ubuntu (root disabled, sudo-only access to root privileges) as well. I wonder how Ubuntu devs and users feel about this.
Well you already can tell Windows (starting from w2k) to launch application under another account. Thou most Wind0ze applications can't that. It's not the problem of applications - it's that the windows api expects all the fancy stuff - like desktop and registry - to be present and set up for the user. Conventional apps rarely run okay that way - several admin applications run that way w/o problems.
Try it. Right click on the link to application or application itself and select "Run As". (Also you can hold "shift" button on right click - that way Wind0ze' Explorer would display complete right-click menu for the target, "Run As..." would be definitely there).
Note that under *nix, it's security feature to run application w/o bells and whistles. It's almost impossible to run them otherwise. Under Windows, due to mandated GUI, applications are always "fatter" compared to their *nix counterparts. In Unix world it's norm to have GUI running in unpriviliged mode and then pass user commands to small back-end tool running with all required priviliges. One can compromise the front-end - but still privileged back-end would dissmiss any disallowed command. For some unknown reason I rarely see such approach being used on windoze.
All hope abandon ye who enter here.
That's right.
What many linux affectionados do not realize is there are many much more advanced power user control systems then sudo. My favorite example is RBAC which has, unlike sudo, some corporate/security professional appeal. See there. It is mostly used on Solaris where the integration level is impressive. For example we can make a requirement that some operations can be only performed by two admins (a "two men rule" ).
Sure, sudo can also can be taken to a much higher level when properly configured, but still ;-)
By default OS X machines use the same password for sudo commands as they do for the regular user account. If you are more concerned about security than the average bear (or OS X user) you can change the password or you can disable sudo altogether and enable the root account with a different password. All of this is good info for those interested in security, but who are still learning.
From this article I predict a number of people knocking this default setup and then a rehash of the old argument as to what the default should be. I contend, that it is probably the correct default. OS X is a workstation not a server. It is designed for normal users. Having two password (heck having even one) is a usability issue for many users. People are confused by the whole concept of passwords and many have trouble remembering even one. Further, setting a second password only slightly increases the difficulty for a competent cracker. The truth is, there will be local escalations for the foreseeable future. OS X is not a super-locked-down server.
Basically, for the average user, a second password gains them very little except confusion. For more advanced users, well they can change the defaults, as many do. Maybe the only issue here is the in-between people. Those are the people targeted by this article. Those that might want to change the defaults if they knew about the issue and how to do it. Maybe this configuration should be made a little easier, or even incorporated as an option in the install process.
This default bears revisiting should Apple ever move to a more locked-down system. Maybe when users are accustomed application specific privileges they should also be introduced to a more layered security scheme. For now, though, I think the usability issue outweighs the security one.
Well, and what happens if it's a application being compromised who runs sudo?
/".
I've never liked that "security measure" in mac os x or ubuntu. Take a IM app or browser. Find a bug in it, and exploit the hole by running "sudo rm -rf
AFAIK there's nothing stoping that from happening? What that tells to my head is "you can do anything as root by using sudo". How can that be called "security"? I use a shared computer between several people and the first thing I do is to run "sudo passwd" because, well, other person could do it if I don't do it before him.
If it doesn't have a password, I don't trust it. sudo just helps people to jump walls that they're not supposed to be able to jump.
The root account is disabled by having the shadow password set to * - thus you can't enter a valid password for root.
/etc/shadow is meaningless. So in fact it should be further qualified as password login to root relying on /etc/shadow is disabled... The point being that 'root account is disabled' is hugely misleading.
Why people keep on confusing this?
Password login to the root account is disabled by having the shadow password set to * - thus you can't enter a valid password for root. Just because password logins are disabled does not mean the account is disabled — try ps -U root -u root u sometime. Besides, 'root' is just one name for uid=0, change your user's uid to 0 and bam! you're it, whatever name you have (but then if you can change your uid you're it already, this was just an academic example)
Also, if your login relies on other methods than pam_unix then the star in
This may be true for an individual user who doesn't have a lot to protect, but it's hopelessly naive in a business or other multi-user situation, or anywhere that security needs to be taken seriously. If you don't play games like "what if they have your password" and institute suitable measures to mitigate those potential situations, you're not even remotely secure. Things get accidently executed under the wrong account, keyloggers exist, people look over your shoulder... there are any number of ways the simply having a good password isn't really good enough. Redundancy and layering is the ONLY way to get trustworthy levels of security.
No relation to Happy Monkey
I've never liked that "security measure" in mac os x or ubuntu
/. and whatnot and drive me crazy. Someone misunderstood, and since then the myths refuses to die. Everyone writing about this topic should be forced to read the article on Ubuntu Wiki
As far as Ubuntu is concerned (dunno about OSX) it never was about security, or at least not in an abstract way, "what's more secure: root or sudo?". This is one of those myths that get perpetuated on mailing lists,
Sudo in Ubuntu was done for one thing: convenience. The user (assumed to be dumb, and rightly so) should only have password. The system would ask (via gksudo) for this one password whenever it needs admin access. Now, in the case of a dumb user who who doesn't graps the root concept, I do believe that sudo is more secure, but that is a side effect.
"When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
This is the second time I've heard vague references to "unpublished security holes" in Mac OS X, but every claim I've heard has been seriously short on content. Has it been reported to Apple? (You know they have an email address and a PGP key for this sort of thing.) If not, why not? Submit it, give them six months or whatever, and beyond that I don't think you're doing anyone any favors by keeping it secret; the chances are you're not the only person who knows about it and somebody is going to be selling it to blackhats on Russian IRC channels soon enough. Seems a lot better that everyone know about the hole and at least get a chance at fixing it (or at least to lock down their systems) -- or at least make it public and give Apple a serious kick in the ass when the bad PR starts rolling in.
I'm sorry if I sound like I'm attacking you, but this is not the first time I've heard someone talking about some "secret hole/backdoor/vunerability" and I'm getting sick of the contentless assertions. If you're hiding it because you want to sell it on the black market, that's one thing, but if that's not the motivation, just don't think you're really doing anyone a favor by sitting on it.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Seriously. Nobody really cracks passwords anymore.
Umm, this is dead wrong. Password attacks are getting more and more effective and popular among serious attackers all the time. Why? Very simple: because as computers get faster, passwords get weaker. If the attacker can get a copy of the encypted password file, he's home free, because peoples' ability to remember passwords has not kept pace with the ability of computers to search them. Barring that, any authentication service that doesn't do lockouts and delays (e.g. many web interfaces) provides an attacker with a great tool for password cracking.
Note that this isn't an argument for or against sudo, because sudo also uses a password. It's just a different password. Sudo is valuable, but for other reasons.
But don't fool yourself that password cracking isn't useful "anymore". It's very useful to attackers, and getting more useful all the time.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
sure, if they are dumb enough to use the same password for email as they do for their account...
Right... which happens to be the default behavior of every linux distro I've ever worked with.