14 April 2009 8 Comments
The commonly requested tool sudo is often maligned by younger administrators and venerated by older administrators.
But how much security does sudo actually provide? How useful is it really?
Running sudo gives you some benefits – so one hears:
- Using sudo records everything someone does as root.
- Using sudo prevents a user from running continually as root, preventing errors.
- Using sudo prevents a user from having to know the root password.
- Using sudo prevents a user from executing anything they are not permitted to.
The problem is that sudo does none of these things very well.
Sudo does indeed record everything one does as root. How does this increase our security? How does this prevent a hacker from compromising a system?
The answer is it doesn’t; recording what someone is doing through this method provides no security at all. A hacker will not use sudo; a regular admin who is using sudo can just use sudo ksh to get a shell that will do what they want. In this way, sudo is merely security through obscurity: if you don’t know how to bypass it, you’ll be recorded. Sudo is like a security camera, watching what you are doing.
Certainly, if you are using sudo, you are not continually running as root – and this is indeed a benefit – and perhaps the primary one. However, there are many things that must be done that cannot be done with sudo. Changing into a restricted directory is just one of them.
It is also true that a user using sudo does not have to know the root password; this also can be a benefit. However, ssh should already be in use and can serve this purpose even better: using an individual’s key, that individual can be granted rights to the root account without knowing the root password – and revoked at will.
The last item is the most dangerous: that using sudo, users can be completely limited in what they can do. The best example of how this can be abused is the attempt of some to prevent the running of a shell by a sudo user. No matter what the sudo file says, one can always do this:
$ cd /bin $ cp ksh ~/bugbear $ chmod 700 ~/bugbear $ sudo ~/bugbear
Instant root shell for anyone with sudo access, regardless of the restrictions in the sudo file. This can be done for any program, as long as the user can read the file it can be changed to a different name and run elsewhere – and if the file can’t be read it can’t be run.
So what are the answers? There are several that, when taken together, will do what sudo wants to do but better:
- Use SSH. Using ssh one can limit a user to a specific command, and prevent the user from knowing the root password.
- Use rksh. This may be too restrictive, but can permit users to execute only certain commands appointed by the administrator.
- Use a chroot jail (or better yet, a BSD jail). Again, this may be too restrictive for most, but will permit a user to only do what is allowed – on a much more restrictive basis than rksh.
- Use an auditing shell. Ksh93 provides this capability – though there may be a reason that this specific capability is not in the standard ksh supported on today’s system. Using an auditing shell, every command from every user, including system administrators, is logged and retained – possibly to another system on the network. Here is a good article on ksh93 auditing. I would posit, however, that if you can’t trust your system administrators then they shouldn’t be your system administrators: often auditing like this merely provides “a throat to choke.”
In particular, if you utilize the ssh public key encryption capabilities to their fullest with a logging ksh93 shell – and with a “captive” menu perhaps – you can provide the capabilities of sudo without the drawbacks. If you do use sudo, realize how serious its shortcomings are and be aware of them to increase your security elsewhere.