PlanetLab Creates a More Advanced Sudo

angry tapir writes "Researchers at the PlanetLab global research network have developed a potential replacement for the widely used Unix sudo tool, called Vsys, that will offer administrators far greater control over what end users can and can't access. Vsys is similar to sudo, except it offers finer-grained access to system resources. PlanetLab created Vsys as a way to allow its researchers to access low-level network functionality so they could develop new network technologies — overlay networks, user-level file systems, virtual switches — while their experimental work remained safely isolated from other users."

So my one question

[JoshuaZ]

Will this mean they'll need to update the xkcd shirts?

Most admins ignore sudo's granularity

[profplump]

Most admins ignore sudo's existing granularity, so why would they want an even more granular system? I'm not saying this new system has no uses -- clearly it does or no one would have built it -- but it's ridiculous to claim that it's likely to replace sudo in common usage when 75+% of admins have never changed the the default sudoers file, let alone wanted more even more granular control.

Re:Most admins ignore sudo's granularity

[Roachie]

Yea, Im not a fan of this already. You can do this here but not there. You can do that but not this over here. I got enough to deal with with the 15 passwords in my long term memory( that are going to expire in 90 days ) already.

Stay out of my way and let me work.

Re:Most admins ignore sudo's granularity

[Frosty+Piss]

I don't know about most *nix systems admins, but I use root.

I'm not moron, I am neurotic about copious backups during work, I make the most of my development servers prior to pushing to the production servers, and am not generally susceptible to asking for problem solutions on-line and just assuming the rm -rf * is the solution to my problems (and it doesn't work with Windows...).

Seriously, do most admins really use sudo? I don't believe it.

Indeed there are a number of Linux distros that almost require it. I don'r use them.

Re:Most admins ignore sudo's granularity

[ChrisMaple]

If you've ever worked with someone who's productive but untrustworthy, you know that some people need to be precisely limited in their access. I know it's frustrating when I have to ask for permission just to do my job, but it's better than the guy who frequently crashes the servers to do so, or to have an unqualified person adding untested changes to a design.

Re:Most admins ignore sudo's granularity

[gman003]

I use sudo on the single-user desktop/server I keep at home. Sure, sudo is configured so that user gman can do anything he wants to do if he puts the word "sudo" in front of it. But 1) it builds good habits for when I eventually work on multi-admin servers, 2) it means that when I wake up with my head on the keyboard, still slightly hung over, and find my system is completely f&$%ed, I can check the logs to see exactly what I did, and exactly what I shouldn't do next time.

Re:I don't need more.

[retchdog]

uh, yeah, that's kind of the point... vsys (ideally) won't do "more". it's not intended for users who own/admin their system.

Re:sudo? why bother

[Anubis350]

When you have multiple admins on a system that can be a recipe for confusion, if nothing else sudo's logging is useful. Being able to restrict your users to be able to do *some* things as root is useful, and being able to allow them to do some things as another user, not necessarily root, is powerful sometimes - I had one project years ago I had to work around an old piece of library software with an utterly arcane user privilege setup. The simplest solution ended up being creating it its own user, where everyone who needed the software ran it as that user (transparently by opening it using a shell script I wrote). sudo is a very useful tool :-)

Hilarious

[timeOday]

Finer grained!

The heaping myriad of security tools and controls is already beyond what anybody can properly utilize, by a huge margin.

Executable configuration?

[Max+Romantschuk]

With Vsys, administrators can create scripts, called extensions, that can carefully detail which user actions are permissible. Extensions can be written in any programming language. The extensions are executable files.

I'm sure it's flexible, but wouldn't executable configuration be a potential source of programming errors, and thus an additional attack vector? If the extension is done correctly I assume all is well, but how do you make sure it is? Or are you better off using SELinux? (Which isn't user friendly either, but at least paranoid...)

Re:Executable configuration?

[phantomfive]

This solves a problem that probably exists nowhere outside PlanetLab: trying to segregate users who are trying to build experimental networks. Now, you might ask, why not just buy a different computer for each experimenter? And indeed that is what I would do, except, these experimenters are trying to experiment on clusters.

So they are trying to segregate the capabilities of various users over many nodes in a cluster, whom they rent time to in a shared system. So there you have it. If you are trying to rent time in a shared cluster to network researchers, this is the tool for you!!

Imitation of Solaris?

[guruevi]

Solaris (and other RBAC's) allow you to remove root and have very fine-grained controls over who does what and where even in virtual machines (containers). This problem has already been solved before many, many times so I doubt there is a need for yet another system. Even sudo itself allows for very fine grained controls.

Users vs Programs

[Software+Geek]

The problem with the Unix security model is that it is designed to protect users against other malicious users. It does this by allowing each user to trash his own space, but not anyone else's space. But in modern computing environments, there is usually only one user, and sometimes less, and the challenge is to protect the computer against malicious programs. So, letting every program trash the one user's space isn't really that useful.
Of course the Unix security model can be adapted to protect against malicious programs. But in practice it is so difficult that no one bothers to try.

It appears to me, after a brief scan of TFA, that vsys just provides finer granularity without addressing the fact that the security model is fundamentally broken.

We need a model that makes it natural and easy to run every program in its own sandbox.

Re:I don't need more.

[cowbud]

They should have called the command vudo.

Re:I don't need more.

[SigmundFloyd]

I've never seen the point of sudo. "su -c $blah" should be all anyone needs.

You are missing the whole point of sudo...

Sudo is for letting unprivileged users issue specific administration commands without knowing or entering the root password. Yes, it can also be used as a temporary `su`, but that's not what it's for.

I just hope this new tool comes with better documentation, because I always hated that unsightly sudoers(5) man page with a passion.

Re:I don't need more.

[SigmundFloyd]

I know what sudo does.

If you knew what sudo does, you wouldn't have written this:

"su -c $blah" should be all anyone needs.

Subject to race conditions -- lame

[plsuh]

Folks,

Does no one remember 2007? Bob Watson presented a paper on exploiting concurrency to break all kinds of things like systrace back then, complete with example code. Vsys is the same kind of thing -- it has processes executing in an outside space where you can have a race condition and force the parameters to change after the clearance check but before it actually does the work. See:

http://www.watson.org/~robert/2007woot/

--Paul

Re:Better replacement

[buchner.johannes]

Isn't PolicyKit meant to do the fine-control root access?