Slashdot Mirror
PlanetLab Creates a More Advanced Sudo
angry tapir writes "Researchers at the PlanetLab global research network have developed a potential replacement for the widely used Unix sudo tool, called Vsys, that will offer administrators far greater control over what end users can and can't access. Vsys is similar to sudo, except it offers finer-grained access to system resources. PlanetLab created Vsys as a way to allow its researchers to access low-level network functionality so they could develop new network technologies — overlay networks, user-level file systems, virtual switches — while their experimental work remained safely isolated from other users."
Will this mean they'll need to update the xkcd shirts?
I'd rather use su.
sudo already does everything (and more!) I could possibly need it to.
I'm certainly not against choice, just pointing out that it won't mean much for me.
And as the AC above me has already said; 'vsys make me a sandwich' just doesn't sound right.
Most admins ignore sudo's existing granularity, so why would they want an even more granular system? I'm not saying this new system has no uses -- clearly it does or no one would have built it -- but it's ridiculous to claim that it's likely to replace sudo in common usage when 75+% of admins have never changed the the default sudoers file, let alone wanted more even more granular control.
Sounds similar to SELinux's TE and RBAC. But it would be awesome if they're easier to work with.
When you have multiple admins on a system that can be a recipe for confusion, if nothing else sudo's logging is useful. Being able to restrict your users to be able to do *some* things as root is useful, and being able to allow them to do some things as another user, not necessarily root, is powerful sometimes - I had one project years ago I had to work around an old piece of library software with an utterly arcane user privilege setup. The simplest solution ended up being creating it its own user, where everyone who needed the software ran it as that user (transparently by opening it using a shell script I wrote). sudo is a very useful tool :-)
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
The heaping myriad of security tools and controls is already beyond what anybody can properly utilize, by a huge margin.
With Vsys, administrators can create scripts, called extensions, that can carefully detail which user actions are permissible. Extensions can be written in any programming language. The extensions are executable files.
I'm sure it's flexible, but wouldn't executable configuration be a potential source of programming errors, and thus an additional attack vector? If the extension is done correctly I assume all is well, but how do you make sure it is? Or are you better off using SELinux? (Which isn't user friendly either, but at least paranoid...)
.: Max Romantschuk
Is it just me, or does the article just sound really confused?
I mean, sudo has little to do with user permissions or anything like that - the mnemonic is "sub user and do". It tries to change the current user to the user specified in the command line (and uses root if none is specified), and executes the command it's given. That's it. That's all it does. It doesn't have anything to do with "fine grained permissions", that sort of thing should be handled at the OS level.
It's not a sudo replacement, it's something that changes the OS security model and probably has some other junk. Even with this thing installed, sudo will still sub user and do.
We need to protect users from buggy install scripts that execute rm -rf /usr.
Solaris (and other RBAC's) allow you to remove root and have very fine-grained controls over who does what and where even in virtual machines (containers). This problem has already been solved before many, many times so I doubt there is a need for yet another system. Even sudo itself allows for very fine grained controls.
Custom electronics and digital signage for your business: www.evcircuits.com
# :vsys su -
Password for User : FU
$ :
- Dan.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
Im not a huge Solaris fan. But, isn't this similar to Solaris RBAC?
Not trolling. Just fed up with sudo. For a single user system, why not have the option of just plain not installing it by default? I mean, its my system. I'm going to perform all root operations on it. Why do I have to be inconvenienced by this annoying application?
The game.
If distro's/admin's adopt it or not is another question altogether. For most, the basic tools of: "su -c 'make install'" or "sudo" do all the needed things. On a well built system, why would the (non-sysadmin) user need root access for anything? Most businesses do not allow non-IT staff to install software or change anything more than the wallpaper. You usally need to make a request to IT to have something special done on your machine anyway. It's generally a good setup that way.
is wildcards in usernames. For example, i have multiple users that i have named 'test-user1', 'test-user2', etc. Now if i want to give them sudo access for a certain set of commands, i would either have to create an entry for each user in sudoers, or place them all in a group and put that in the sudoers file. Both are not quite optimal as it requires me to maintain the sudoers file manually (i want it to be dynamic) or maintain a separate group on posix level.
What would be nice is if sudo would allow me to create a test-* entry. Maybe vsys can do that. Although that's the only missing feature of sudo i would actually need. For the rest, sudo suits my needs just fine.
And here all this time I always thought sodu's more advanced replacement was su
...I assume crap. Why? There are plenty systems to get finer grained rights, e.g. acl. Problem is, most developers or administrators are unable to cope with even the most simple owner/group/other access controls. Make it more flexible and powerful and you get that much more security risks that the advantages by far outweigh the problems.
I don't see why you cannot properly scale Sudo via LDAP: http://www.gratisoft.us/sudo/man/1.8.1/sudoers.ldap.man.html I also believe some of the functionality described by the article can be achieved via the Plugin API introduced in Sudo 1.8.1: http://www.gratisoft.us/sudo/man/1.8.1/sudo_plugin.man.html
$luser@yourbox:sudo su -
Please enter the password for luser:
#passwd
Yeah, that's tough. And the first thing I do on a new Debian based box.
Good judgment comes from experience, and a lot of that comes from bad judgment.
...yawn.
It must have been something you assimilated. . . .
Groups should be defined in one place to avoid confusion. /etc/group is the place for that.
You have no idea how annoying it is if you have to admin a box that has had some system admin try and reinvent the wheel and not document it thoroughly. I do consultancy for a quite a while and just finding out what people have done while a distro/OS provides proper tools for something, is a large part of dealing with emergencies while production systems are down. It may sound like a sure way to be replaced, but please think of the poor sod replacing you when you've moved on to greener pastures. Either use the tools the way they were intended, or document everything you're doing like you're passing on to a novice.
I was promised a flying car. Where is my flying car?
Now somebody just needs to find the buggy buffers and write a few exploits. Nothing like the 20 year-long beta to get critical OS components to a state where sudo is now in *BSD/Linux.
Light (couldn't think of a better one)! It is my understanding that sudo is a setuid binary and that being true makes it one of the most dangerous code bases on a system. The more 'fine-grained' you get the more of an attack surface you expose just by the difference in code size. Sudo has already its share of vulnerabilities with the size that it is. KEEP IT SIMPLE STUPID!
The problem with the Unix security model is that it is designed to protect users against other malicious users. It does this by allowing each user to trash his own space, but not anyone else's space. But in modern computing environments, there is usually only one user, and sometimes less, and the challenge is to protect the computer against malicious programs. So, letting every program trash the one user's space isn't really that useful.
Of course the Unix security model can be adapted to protect against malicious programs. But in practice it is so difficult that no one bothers to try.
It appears to me, after a brief scan of TFA, that vsys just provides finer granularity without addressing the fact that the security model is fundamentally broken.
We need a model that makes it natural and easy to run every program in its own sandbox.
http://xkcd.com/756//
There is always suid bit, which does that in the system.
If all your required users are in group zarkers, and the user with required permissions is zarker, then:
-rwsr-x--- zarker:zarkers zark
Will do that for you.
# chown zarker:zarkers /usr/local/bin/zark /usr/local/bin/zark
# chmod u+rws,g+rx-w,o-rwx
Prediction for end of Universe #42: Fencepost error in Quantum_bogosort.cpp
What? You have a cheese burger now? Fine, Thank you. I am happy with my sandwich. (I see sudo wagging it's tail)
Senthil
su-su-sudIO!
I hate to break it to you, but you're an Ubuntu user, not a Debian user.
# cat
Damn, my RAM is full of llamas.
*buntu has other ideas/agenda, which may be either good or bad, dependent upon circumstances.
"Tongue tied and twisted, just an Earth bound misfit
what will be next? SCO raises from the approxmately twenty times dead and threatens to sue Linux users?
Oh, the beautiful gloss of greality!
People hardly ever use the fine grained security in sudo anyway.
http://michaelsmith.id.au
Sounds like RACF (Resource Access Control Facility) for mainframe operating systems (zOS and zVM). It's been around for 40+ years.
Folks,
Does no one remember 2007? Bob Watson presented a paper on exploiting concurrency to break all kinds of things like systrace back then, complete with example code. Vsys is the same kind of thing -- it has processes executing in an outside space where you can have a race condition and force the parameters to change after the clearance check but before it actually does the work. See:
http://www.watson.org/~robert/2007woot/
--Paul
The one serious deficiency(still ages ahead of just handing out the root password to everybody who needs to use su) with sudo is that the restrictions are on the level of what programs the user can run, rather than what they can do.
Given the number of *nix utilities that can be coaxed into functioning enough like a shell to invoke a full one, it is pretty easy to inadvertently assign permission for something that will let the user do anything they feel like...
See, even I can learn something new every day.
Good judgment comes from experience, and a lot of that comes from bad judgment.
I don't know, but you should get a smack in the head for entering the command line switches last.
-- Linux user #369862
Why did putting ':' on your bash shell output '- Dan'? Seems like an odd alias. ;)
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
... only add someone to sudoers who know how to use it.
How is that any different?
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
Sudo works.
More complexity breeds less security, so why do it?
This is like upstart coming along vs. sysv. Damn, I hate managing my ubuntu laptop and my phone.
OK, let's see here.
Sudo is simple, free, and ubiquitous. You can install, configure, and use it in a matter of minutes. It does what it's supposed to do, and doesn't get in the way. The need for something more powerful or fine-grained is just not there, generally speaking. If it were, then any of the other tools (RBAC, PowerBroker, etc.) would have taken hold and displaced sudo. They haven't.
This is like extended ACLs in Unix - a solution to a problem that isn't actually a problem for most people, and has already been solved.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Sudo does have some rudimentary shell-escape functionality.
There is always suid bit, which does that in the system.
There are a lot of things that suid won't allow you to do, like editing crontabs, changing permissions on files (you must be the owner of the file to do that), etc.
In case other people had as much trouble as I did finding the package: www.cs.princeton.edu/~sapanb/vsys [Download Vsys] http://git.planet-lab.org/?p=vsys.git;a=summary [git repository] ...also, interestingly, Vsys is not written in C, but Ocaml, which is a solid type-safe programming language. This is reassuring from the security standpoint given that it is a recent package.
I already spend more effort than I like ripping out useless security features. Every project has a virtual machine, or several, and they are isolated from each other. I don't need outdated security features that just get in the way. As it is I'd be more interested in a Linux distro that came with all that crap removed. It's been years since I used groups on a production server, I never found ACLs useful, I usually disable firewalls, filesystem permissions are a hassle far more often than they are useful, etc. Heck, the only time a real person logs into most of my systems is when something goes wrong with permissions or some other protection feature and causes a problem.
Make sure the virtualization servers are up to providing proper security between instances and from the network and then scrap all that stuff in the guest OS.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.