Slashdot Mirror
Sudo vs. Root
lessthan0 writes "In Mac OS X, the root account is disabled by default. The first user account created is added to the admin group and that user can use the sudo command to execute other commands as root. The conventional wisdom is that sudo is the most secure way to run root commands, but a closer look reveals a picture that is not so clear." The article is about OSX but the debate is a little older ;)
The article doesn't say that sudo isn't the most secure way to run commands, it just details how to make it even more secure.
Now all the black-hats out there will have a powerful new tool in their arsenal! You mean, a sudoer can, like, type "sudo /bin/bash" and then do all sorts of things as root? Pretty irresponsible of him to go telling the world a secret like THAT!
What the article mentions is not really a big problem, since that is more or less what would happen if someone guessed the root password (then they could tamper with anything, including the logs). If the administrator isn't knowledgeable, both sudo or root can get hacked, but this doesn't mean that sudo is worse or has more disadvantages than running as root.
Personally, I prefer sudoing a shell to run as root so I don't have to type the command all the time, but that's just in my home Ubuntu installation which I don't care much about.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
When there are lots of admins, sudo can be helpful. However, even then it's mostly useless because most admins get so irritated at having to type sudo before every command that they'll just sudo into a shell and be done with it, which sort of eliminates most of the advantages of sudo. To get around this, you'd need a security admin that is not only diligent about what access he gives out, but is also willing to deal with a lot of abuse from the other admins because he won't let them do what they want to do.
For a single-user system, sudo is pointless. Nearly everyone is just going to sudo into a shell to do anything where root is needed on their own personal box anyway.
As part of my day to day crap sudo can really help in running remote commands as root without having to login as root. We've got a few things setup which check system settings from a central node and being able to use a non root user, and then just using sudo /file really just helps keep things under control. Also with sudo you can fine tune which commands are allowed to be run. Overall a really nice toy
SolarVPS - Quality Windows and Linux Virtual Servers
News flash: Sudo, like many other tools, has a configuration file, which allows you to customize it's behavior. Details will be provided as they become available.
C'mon, anyone with even a passing involvement with sudo has looked at the sudoers file. You can configure pretty much any group or role based permission you want; if you can describe it as a logical statement, you can do it in sudo. Yes, out of the box, you can sudo to a shell (or to an app which has a shell escape).
This article is good advice for anyone running a unix-like operating system (OSX, Linux, etc). It's not knocking on OSX, just knocking on the default configuration. Sudo is really just a way to allow root access without allowing root logins. The best way to configure it: Root Account with a unique password (not the same as your user account) Sudo requires password to activate (caching is ok, but no automatic access, no keys) Sudo logs all commands Sudo only enabled for specific user accounts Root account has login disabled, ftp/ssh disabled. (using the /usr/bin/false trick mentioned in the article, I use true myself)
The winner is clear!
rooooar
Last login: Tue Mar 21 10:44:32 on ttyp1
Welcome to Darwin!
Hunter:~ Adam$ sudo su
Password:
Hunter:/Users/Adam root#
This is on an unmodified install....woops I guess that root account wasn't disabled after all!
But when you share a root account, revoking privilege from a single admin means that every remaining admin has to learn a new password.
More like news for noobs
Stuff that flatters?
This guy's the limit!
sudo passwd root
adventure-today.com
Now, a live CD and a setuid bash executable managed to fix the issue directly, but we learned an important lesson about root-less systems. If you screw up something like the /etc/sudoers, the system is hosed unless you
have physical access.
So as much as I use sudo for almost all my UID 0 needs, I think root still needs to live in every box just to safegaurd against such simple mistakes which ended up costing more hours than the sudo would've saved.Quidquid latine dictum sit, altum videtur
...is to choose a really difficult password and forget it. This will secure the box from its' worst enemy - yourself.
When your normal user has his mind set on performing a specific task (Such as installing the newest spyware-ridden p2p-downloader) you can popup a big red button and naming it "explode", the user will press it if he thinks it will get him closer to performing the task. Putting up a dialog and ask for the root password is for normal users only an obstacle to get by. They don't know what it mean, but they know how to get by it (By inserting the password).
Don't know any way of solving this except for training though. Or possibly making it IMPOSSIBLE to do certain tasks. But that no good solution.
All that is in bash history for the root user. And anyone who knows how to clean that can clean the log as well.
I would disagree, in some cases. I like that Ubuntu does things this way, because it's designed for less-experienced users. I often see posts in the forums that list several commands in a row to execute, all preceded by sudo.
Being a more experienced admin, that looks wierd and counterproductive. But here's the nice thing: it keeps users from opening up a root shell and then forgetting they're in that shell, where they could easily wreak havoc. I think that's a good thing.
Me, I pretty much just always type "sudo -i" to do my stuff. But I wouldn't want less experienced users doing that.
I'm just a part time sysadmin, so I don't know the nitty gritty, but it was beat into my head to use sudo instead of root simply so that I wouldn't "forget" I was in root and do something stupid...
There is no reason (usually) to be logged in as root, and that anything I need to do as root I could do using sudo. It seems to me that you hack with sudo just as easily as with root...
I guess most of the things in that article applies to Ubuntu (root disabled, sudo-only access to root privileges) as well. I wonder how Ubuntu devs and users feel about this.
Didn't we already have the wheel group for this? No direct root login and only members of wheel can su to root. http://en.wikibooks.org/wiki/Guide_to_Unix/Explana tions/Becoming_Root
I hadn't the slightest objection to his spending his time planning massacres for the bourgeoisie... (P.G. Wodehouse)
Well you already can tell Windows (starting from w2k) to launch application under another account. Thou most Wind0ze applications can't that. It's not the problem of applications - it's that the windows api expects all the fancy stuff - like desktop and registry - to be present and set up for the user. Conventional apps rarely run okay that way - several admin applications run that way w/o problems.
Try it. Right click on the link to application or application itself and select "Run As". (Also you can hold "shift" button on right click - that way Wind0ze' Explorer would display complete right-click menu for the target, "Run As..." would be definitely there).
Note that under *nix, it's security feature to run application w/o bells and whistles. It's almost impossible to run them otherwise. Under Windows, due to mandated GUI, applications are always "fatter" compared to their *nix counterparts. In Unix world it's norm to have GUI running in unpriviliged mode and then pass user commands to small back-end tool running with all required priviliges. One can compromise the front-end - but still privileged back-end would dissmiss any disallowed command. For some unknown reason I rarely see such approach being used on windoze.
All hope abandon ye who enter here.
I'm the only user on my Linux laptop. My password is dead simple; I'm not worried about security -- the most likely people who might try to do something to my computer are other developers in my company, and they probably have a good reason.
However, I never run sudo su Why? Being forced to type "sudo" in front of potentially dangerous commands forces me to think a second time and make sure I'm not doing something stupid. If I type rm -r * and get prompted that I don't have access, you bet I'm going to double check to see if I'm in the right directory.
Ceci n'est pas une signature.
Read the sudo manpage. After you authenticate for the first sudo command, subsequent invocations won't require a password for a set interval of time (default is 5 minutes, unless overridden in /etc/sudoers).
"Inflammable means flammable? What a strange country!" -Dr. Nick, The Simpsons
That's right.
What many linux affectionados do not realize is there are many much more advanced power user control systems then sudo. My favorite example is RBAC which has, unlike sudo, some corporate/security professional appeal. See there. It is mostly used on Solaris where the integration level is impressive. For example we can make a requirement that some operations can be only performed by two admins (a "two men rule" ).
Sure, sudo can also can be taken to a much higher level when properly configured, but still ;-)
4. Allowing non-human users (e.g. www) to execute a strictly limited set of commands as root.
/sbin/ipfw add 2000 deny ip from [0-9.]* to any in
/sbin/ipfw to add the ip addresses of script kiddies to the firewall. Note that only adding addresses to one particular rule (in this case rule 2000) is allowed - any other usage of ipfw will fail.
For example, I have this command in my sudoers file:
www ALL = NOPASSWD:
This allows apache to use
By default OS X machines use the same password for sudo commands as they do for the regular user account. If you are more concerned about security than the average bear (or OS X user) you can change the password or you can disable sudo altogether and enable the root account with a different password. All of this is good info for those interested in security, but who are still learning.
From this article I predict a number of people knocking this default setup and then a rehash of the old argument as to what the default should be. I contend, that it is probably the correct default. OS X is a workstation not a server. It is designed for normal users. Having two password (heck having even one) is a usability issue for many users. People are confused by the whole concept of passwords and many have trouble remembering even one. Further, setting a second password only slightly increases the difficulty for a competent cracker. The truth is, there will be local escalations for the foreseeable future. OS X is not a super-locked-down server.
Basically, for the average user, a second password gains them very little except confusion. For more advanced users, well they can change the defaults, as many do. Maybe the only issue here is the in-between people. Those are the people targeted by this article. Those that might want to change the defaults if they knew about the issue and how to do it. Maybe this configuration should be made a little easier, or even incorporated as an option in the install process.
This default bears revisiting should Apple ever move to a more locked-down system. Maybe when users are accustomed application specific privileges they should also be introduced to a more layered security scheme. For now, though, I think the usability issue outweighs the security one.
This "problem" has been around a while and is not really a Mac OS X thing problem. In short poorly configured systems are less secure, imagine that. I can make my self type 3 or 4 different passwords to get to sudo or root, will this make me more secure, perhaps. However I guarantee that if Apple did this the first thing every user would do is enable root, or otherwise make it more sane and easy to administer the system. If by some greater decree they made it impossible to do this, fewer people will want such system, as it will make them harder to use. Whatever you do, if you have boot, you have "root" ( or at lease root like access). In short it is possible to layer on many levels of security over the "root" access of a system but it this actually wise?
I don't use much OS X but I do use Linux quite abit. When I set up my machines, of course I use root access, lazy heck no. I have hordes of little tweaks and such to perform, packages to install, things to edit and permissions to set. If I had to use sudo, my first command would be to open a root bash shell. As for security, a new system it not accessible to the outside, thats it. After a system is up and running, I tighten things up.
First thing, as mentioned, is to disable root access by ssh. Of course, use public keys instead of passwords where possible. However why not go a simple step further, and the article missed that. Most of my accounts, and certainly all those accessible with ssh don't even need the privileges to use sudo or su to root at all. In fact in most cases my externally accessible shell accounts have a very limited set of commands they can run, simply because shell access is so insecure to begin with (hello gcc under remote shell users). I feel that this is clean and efficient and not a real pain to setup.
If you are paranoid and want a 2nd password for "root" access, use such a limited user for all users, then make a second account that may use sudo or root and log the heck out of it. Make each prospective admin su to that first. in the end, its only how much security is reasonable that wins. if you need more unplug the box and lock the thing up in a closet to prevent physical access by lock key, this too can be broken...
When a pack of wolves hunt a herd of sheep, as a sheep you need not out run the wolves to be safe, only the slower sheep. These slower sheep (aka windows) are generally quite abit slower these days than you (OS X). However, this all depends on the number of wolves you keep (or allow) on your netoworks... If you can't generally trust your users you have other problems.
I ran in to these kinds of issues back in the Solaris 2.2 days and came up with a different solution.
.bash_historys so I could see who screwed up.
Solaris' problems were even more acute. Sudo was a download; it didn't come with the system. If you changed root's shell from the minimal Bourne shell the boot scripts would malfunction. More, root's home directory was "/". So setting up a personalized environment where you could use root access effectively was a pain.
The solution I came up with was a second root account. I just added another name with uid 0 using a seperate password, a seperate home directory and the ksh shell. Then I randomized the main root password, stored it away and promptly forgot it. I'd only need it for fsck on boot.
Later when I was in charge of multiple system administrators I gave each one their own root account. This let them set up their environment in a way that worked for them, it showed me who was using root commands when and it logged their commands to individual
It also means that like with sudo when a sysadmin leaves I don't have to change all the passwords. I just delete their account.
I still use sudo for folks who I don't expect to do much as root, but the sysadmins get their own root account.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
As far as I can figure, his argument all comes down to someone possibly stealing or guessing your password. Doesn't this problem exist with root as well? I love that his solution is to disable sudo and enable remote login on root. He then says that you should only allow public key authentication. So now we are back to the original problem. If someone obtains the password to an authorized account, they now have non-password root access to any server they want. From there, it's not too hard to setup another public key on the root servers that links to an unprivileged account. Now the user cannot just change their password every week for security, they need to go update all of these keychains. No, I'm afraid this author is horribly wrong. If you want to get rid of the problem of using your own password for doing root work, shut down sudo and use su. Do not under any circumstance enable remote login on root.
In related news, I am so tired of all of these non-news blog entries that keep being put on Slashdot. Give me real news from a reliable source, not some no-name idiot that has no clue what he is talking about. Seriously, we need some sort of blog tag that allows us to immediately identify blog articles and appropriately ignore them.
pcollins$ su su sudio
-- 3 events that reshaped the world in the 20th century: WW1, WW2, and WWW
Try the following:However, that's not going to stop joe user from copying bash over to
$ man woman *
-bash:
The most insecure thing about sudo that I see occurring frequently is that a person with an account that has sudo access uses the SAME account for unencrypted email.
So basically their password gets sent openly when they login via POP to check their email. Anyone with a sniffer can get their password, login, and have full sudo access.
Now that's great security for ya.
That's why when I install a distro like Ubuntu that defaults to using sudo I always make the first account a dedicated admin account. Which sort of raises the question of why not just use "root" in the first place...
Social engineering can assist. I work in an administrative environment where not only is sudo the preferred way to do things, but we have a policy where using 'sudo su' or 'sudo sh' can cause one to be written up and possibly terminated. I know, it sounds strict, but it works for us and makes usage of sudo much easier to manage.
There is an example in the 'sudoers' manual which tells how to remove 'su' and shell commands from those which sudo allows. I had to implement this after we discovered that some individuals who needed sudo access to do some things were using 'sudo sh' to get around the restrictions we placed on them. After the initial threat, they were much more agreeable to how we wanted them to do things *grin*
Actually, you missed the point of why sudo only asks for the user password. And so did the author of that web page (which is why he's wrong).
.bashrc was replaced, the shell you are running is a trojan. The password that you typed in was captured, and the cracker now knows the root password. In fact, it probably just used that password to launch a rootkit.
Firstly, asking for a root password has no effect on the security of the system. A cracker does not have to crack an extra password. Once your user account has been cracked, if you know the root password and use su (or sudo or whatever), then at some point you are going to login and do that. Unfortunately, the cracker knows your user password - your
This can be solved, with some form of secured authentication path (like a smartcard device, which can't be trojaned using the user's password, and there are also ways to do this without needing extra hardware). sudo supports stuff like that, if you know what you're doing. But simply asking for a second password, in an application running in the terminal, is no more than a speed bump. It's not the second layer of security that it looks like it should be. Anything you type into the terminal is compromised once an attacker has your user password.
Secondly, shared passwords are bad security. You can't easily change them - it has to be arranged between several people. You have to pass the secret between at least two people on at least one occasion, and somebody else can overhear when you do that. People tend to be less careful about information that is known to several people. If the secret leaks out, there's no easy way to trace who leaked it. There's all sorts of issues with shared passwords. If you really wanted a second password, you should have one 'root' password for every user who has root access (Kerberos systems allow for this scenario, because a Kerberos environment can have secure authentication paths; sudo and su don't, although you could have one 'login' password and one 'sudo' password by creative use of PAM, but you have to tackle the authentication path issue first).
Thirdly, the point of sudo asking for the user password is to authenticate that the user currently sitting in front of the computer is the same user that logged in at some point in the past. Users are forgetful; they walk away from their console to get coffee without locking it. sudo attempts to verify that the user currently sitting there is probably the right one, and not somebody else who snuck into their office. If you have sudo ask for a single shared root password, then one of the other users with root access could use somebody else's account, and would appear in the logs as that user. That means they deflect blame for their actions onto somebody else. If you really wanted to have a second password with a shared root password, you should ask for both the user and the root password.
You could argue that a user with root access can always just clean the logs afterwards - but this is not necessarily true. A system can be configured so that syslog immediately sends every message over the network to another host. sudo deliberately sends the message to syslog before running the command, so that this scenario remains secure. The user could immediately disable this configuration, but they can't stop that first message from going out, saying who they are and when they logged in. (We will assume that this scenario involves ssh access to a server located in a locked datacentre, so there is no opportunity to interfere with the physical network connection).
sudo's way of doing things really does have security advantages. It may be true that these advantages aren't relevant to the default macosx configuration, but that does not mean they don't exist. However, using a single root password, like the article author suggests, does not have security advantages over the default behaviour (see the first point in this post). And the default behaviour is more convinient for users (who only have to remember one password instead of two), which is almost certainly why Apple set it up that way. The article ignored this aspect.
I would argue that this is even not needed.
Just pick a good damned password.
Seriously. Nobody really cracks passwords anymore. Sure there are the ubiquitous SSH scans on the net looking for just insanely stupid passwords. Pick a good password and move on.
Firstly... any security discussion that starts with "what if they have your password" is flawed. They shouldn't have your password, if you let it go, or its THAT easy to guess.... then your security is broken right from the start and there is nothing you can do YOU ARE FUCKED.
I worked at a place that did sudo for root passwords, and I thought it was one of the god damned stupidest things ever. The ONLY benefit of it, was that it forced us to figure out how to make secure passwords for root that people could easily memorize and taught us all to use mnemonics. That was seriously the ONLY benefit.
Basically if you log in locally, or use ssh for everything, then your password never goes out in clear text. If you worry about ssh, then fine... use key authentication, then your password never gets used for anything but sudo.
Basically.... this is a totally fake issue. If someone has your user account password, you are just screwed. They can trojan your entire environment such that the chances that you will EVER notice is minimal, and then they will just get the root password the very next time you sudo.
Bottom line... protect your password... your security depends on it.
-Steve
"I opened my eyes, and everything went dark again"
This may be true for an individual user who doesn't have a lot to protect, but it's hopelessly naive in a business or other multi-user situation, or anywhere that security needs to be taken seriously. If you don't play games like "what if they have your password" and institute suitable measures to mitigate those potential situations, you're not even remotely secure. Things get accidently executed under the wrong account, keyloggers exist, people look over your shoulder... there are any number of ways the simply having a good password isn't really good enough. Redundancy and layering is the ONLY way to get trustworthy levels of security.
No relation to Happy Monkey
Same reason you're not supposed to log into Windows as an administrator all the time; if something goes wrong (security hole in a user-run program), or if you accidentally use the wrong command, your system isn't totally screwed (hopefully).
Windows actually has a similar feature, sort of- right-click on something and choose "run as...", then log in as an administrator.
"Quoting yourself is stupid." -Me
Laws do not persuade just because they threaten. --Seneca
And consider the zillions of applications which use your username. Do they get it from /etc/passwd (which would be wrong) or do they get it from $USER (which could also be maliciously set wrong)?
Having multiple users sharing a UID is an administrative disaster.
This is the second time I've heard vague references to "unpublished security holes" in Mac OS X, but every claim I've heard has been seriously short on content. Has it been reported to Apple? (You know they have an email address and a PGP key for this sort of thing.) If not, why not? Submit it, give them six months or whatever, and beyond that I don't think you're doing anyone any favors by keeping it secret; the chances are you're not the only person who knows about it and somebody is going to be selling it to blackhats on Russian IRC channels soon enough. Seems a lot better that everyone know about the hole and at least get a chance at fixing it (or at least to lock down their systems) -- or at least make it public and give Apple a serious kick in the ass when the bad PR starts rolling in.
I'm sorry if I sound like I'm attacking you, but this is not the first time I've heard someone talking about some "secret hole/backdoor/vunerability" and I'm getting sick of the contentless assertions. If you're hiding it because you want to sell it on the black market, that's one thing, but if that's not the motivation, just don't think you're really doing anyone a favor by sitting on it.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Our IT department (of a 70,000 person organization) audited my lab, and discovered that I had used an "insecure" password password. They determined this because they were able to crack it... ...but it took them 18 hours to crack, and they had to do it within the lab because the system in question was behind two firewalls, and the system itself had no sensitive information on it. It was an internal development system, and the password was made easy (two English words separated by a symbol) so that our sixty developers could remember it. The password itself was written on the whiteboard in the lab, but the auditors didn't mention that.
A Government Is a Body of People, Usually Notably Ungoverned
Ahahahaha thats pretty funny.
... and pretty much any other random substitution I can think of.
As I said before, nobody except security auditors really crack passwords anymore.
That said, its really not that hard to come up with a pretty acceptable and memorable password.
I like to take a song lyric or other phrase of about 8 words. Then take either the first letter of each word to start. For some words, I will choose a symbol other than the first letter, like "and" could become & or +
Then I pick out words to capitalise, or replace with l33tspeak numbers etc.
by the time I am done, I have a fairly nasty looking string that maps easily in one direction back to a phrase. Write it down, say the phrase while you use the password.
By about the 5th time, I can burn the paper copy.
For example, I will make one up right now....
password - mnemonic
4eIwMo^n - for example I will make one up now
I once, and I only admit this because I know that every system that has used this password has since had it changed several times.... I once used lyrics from "the song that does not end".... sadly it wasn't in use long enough to break the brains of anyone else in the office.
-Steve
"I opened my eyes, and everything went dark again"
Seriously. Nobody really cracks passwords anymore.
Umm, this is dead wrong. Password attacks are getting more and more effective and popular among serious attackers all the time. Why? Very simple: because as computers get faster, passwords get weaker. If the attacker can get a copy of the encypted password file, he's home free, because peoples' ability to remember passwords has not kept pace with the ability of computers to search them. Barring that, any authentication service that doesn't do lockouts and delays (e.g. many web interfaces) provides an attacker with a great tool for password cracking.
Note that this isn't an argument for or against sudo, because sudo also uses a password. It's just a different password. Sudo is valuable, but for other reasons.
But don't fool yourself that password cracking isn't useful "anymore". It's very useful to attackers, and getting more useful all the time.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.