[BALUG-Talk] /etc/sudoers detail (was: Can we go over the security topic from a few meetings ago?)

Rick Moen rick@linuxmafia.com
Wed Jul 18 13:12:05 PDT 2018 

Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):

> Sure, we can (also) go over that at today's BALUG meeting -
> presuming folk(s) are interested.
> I think I only made it about 1/3 or of the way through my security
> materials on that earlier - that was the meeting from about
> two months ago - 2017-05-15.
> 
> I do also have "slides" from that ... I should get those up fairly
> soon too.

I made the point, over dinner conversation, that many Linux
distributions[1] configure sudo in a way that IMO seriously weakens
overall system security.  Specifically, on such distributions, you are
able to type 

   sudo [action]

...and supply your _own_ password to run the requested command with
elevated privilege.  My point over dinner is that this results in a
situation where an attacker who steals your regular user credentials
gains free privilege-escalation to superuser abilities as well, without
needing to overcome any additional security obstacle.  This IMO greatly
weakens the traditional Unix security model, where stealing root (etc.) 
is a deliberately separate, much more difficult problem from stealing 
grunt user credentials.

Personally, I am lastingly wary of sudo, and prefer to have scant
reliance on it.  However, for people who _do_ rely on it, there's
something you can do that could help:

Step 1 of 2:  Set a root password.

    sudo passwd   #pick a strong & different password, and don't lose it

Step 2 of 2:  Alter sudo to require the _root_ password for privileged
actions, and not just the user's own password.

    visudo

You are now editing /etc/sudoers using a special editing mode.  Find the
section with various lines starting with keyword 'Defaults'.  At the end
of that section, add a new line:

Defaults rootpw

Save and exit the editor.  You are done.


In very general terms, the main reason why I'm wary of sudo is that it's
Rube Goldberg-ish:  It introduces somewhat baroque complications to
system security, and doing so is always a Very Bad Thing unless it has
very strong compensating virtues that I seldom see in the case of sudo.


[1] Including one named for an African word meaning 'can't install Debian'.

More information about the BALUG-Talk mailing list