Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How is sudo secure?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Duplicate Threads
View previous topic :: View next topic  
Author Message
Cinder6
l33t
l33t


Joined: 05 Aug 2004
Posts: 767
Location: California

PostPosted: Sun Jul 31, 2005 2:30 am    Post subject: How is sudo secure? Reply with quote

Hi, I know all about not using root unless you have to, but I ask you, how is sudo any more secure? Say I have emerge setup via sudo, so I can emerge things as a regular user without always having to use su (which I do, in fact). If the purpose of not running as root is, in part, for security, doesn't sudo nullify some of it? If somebody were to hack my system, wouldn't they have sudo by their side allowing them to emerge -C my whole system? Or am I missing something here?
_________________
Knowledge is power.
Power corrupts.
Study hard.
Be evil.

Ugly Overload
Back to top
View user's profile Send private message
YD
Guru
Guru


Joined: 30 Oct 2004
Posts: 466
Location: Riga, Latvia

PostPosted: Sun Jul 31, 2005 2:51 am    Post subject: Reply with quote

Code:
man sudoers

If you have correct settings it will be difficult to use sudo to break your system. Anyway, I use su for maintenance. If someone has a shell-access to your PC account, it's 95% change to be totally hacked.
Back to top
View user's profile Send private message
Cinder6
l33t
l33t


Joined: 05 Aug 2004
Posts: 767
Location: California

PostPosted: Sun Jul 31, 2005 2:52 am    Post subject: Reply with quote

So basically, just make sure nobody gets shell access?
_________________
Knowledge is power.
Power corrupts.
Study hard.
Be evil.

Ugly Overload
Back to top
View user's profile Send private message
stormcrowley
Apprentice
Apprentice


Joined: 11 Mar 2004
Posts: 166
Location: Sacramento, California, United States, North America, Earth, Sol System, Milky Way Galaxy, Universe

PostPosted: Sun Jul 31, 2005 3:04 am    Post subject: Reply with quote

Cinder6 wrote:
So basically, just make sure nobody gets shell access?


Not necessarily. Just make sure none of them are in the wheel group, or are on the allowed list for sudoers.
_________________
redseal wrote:
You are a fundamentalist of blasphemy! Why do you do as the false prophets and spread an insidious message of tolerance and goodwill?
Back to top
View user's profile Send private message
Cinder6
l33t
l33t


Joined: 05 Aug 2004
Posts: 767
Location: California

PostPosted: Sun Jul 31, 2005 3:16 am    Post subject: Reply with quote

Well, this system only has 1 user (aside from root), and it has wheel, so I am not sure how applicable that is.
_________________
Knowledge is power.
Power corrupts.
Study hard.
Be evil.

Ugly Overload
Back to top
View user's profile Send private message
allucid
Veteran
Veteran


Joined: 02 Nov 2002
Posts: 1314
Location: atlanta

PostPosted: Sun Jul 31, 2005 4:10 am    Post subject: Reply with quote

You also shouldn't have anything important (such as emerge) configured with NOPASSWD in your sudoers file.
Back to top
View user's profile Send private message
Cinder6
l33t
l33t


Joined: 05 Aug 2004
Posts: 767
Location: California

PostPosted: Sun Jul 31, 2005 4:20 am    Post subject: Reply with quote

that's a good idea...*gets rid of NOPASSWD*

hehe
_________________
Knowledge is power.
Power corrupts.
Study hard.
Be evil.

Ugly Overload
Back to top
View user's profile Send private message
stormcrowley
Apprentice
Apprentice


Joined: 11 Mar 2004
Posts: 166
Location: Sacramento, California, United States, North America, Earth, Sol System, Milky Way Galaxy, Universe

PostPosted: Sun Jul 31, 2005 4:34 am    Post subject: Reply with quote

Cinder6 wrote:
Well, this system only has 1 user (aside from root), and it has wheel, so I am not sure how applicable that is.


No worries then. However, if you get asked for a shell account, then...
_________________
redseal wrote:
You are a fundamentalist of blasphemy! Why do you do as the false prophets and spread an insidious message of tolerance and goodwill?
Back to top
View user's profile Send private message
/dev/random
l33t
l33t


Joined: 26 Nov 2004
Posts: 704
Location: Austin, Texas, USA

PostPosted: Sun Jul 31, 2005 4:37 am    Post subject: Reply with quote

Cinder6 wrote:
that's a good idea...*gets rid of NOPASSWD*

hehe

Then what's the point of sudo? Why not just use su?
Back to top
View user's profile Send private message
Cinder6
l33t
l33t


Joined: 05 Aug 2004
Posts: 767
Location: California

PostPosted: Sun Jul 31, 2005 5:00 am    Post subject: Reply with quote

/dev/random wrote:
Cinder6 wrote:
that's a good idea...*gets rid of NOPASSWD*

hehe

Then what's the point of sudo? Why not just use su?


You're right, too, hehe.
_________________
Knowledge is power.
Power corrupts.
Study hard.
Be evil.

Ugly Overload
Back to top
View user's profile Send private message
allucid
Veteran
Veteran


Joined: 02 Nov 2002
Posts: 1314
Location: atlanta

PostPosted: Sun Jul 31, 2005 5:07 am    Post subject: Reply with quote

/dev/random wrote:
Cinder6 wrote:
that's a good idea...*gets rid of NOPASSWD*

hehe

Then what's the point of sudo? Why not just use su?

Sudo has many uses. For example on a shared workstation you would want to set up sudo with NOPASSWD for users so they can reboot. It can give privileges to those not in the wheel group, etc.

You can set emerge to NOPASSWD if you want. It's up to you to decide what exactly needs to be locked down on your system.

[edit] added the privileges part...but YD said it anyways so it's moot.


Last edited by allucid on Sun Jul 31, 2005 5:10 am; edited 3 times in total
Back to top
View user's profile Send private message
YD
Guru
Guru


Joined: 30 Oct 2004
Posts: 466
Location: Riga, Latvia

PostPosted: Sun Jul 31, 2005 5:08 am    Post subject: Reply with quote

There some situation when you want to provide super user ability to a simple user. You can easily configure sudo to allow such actions. su is a different purpose utility (:
Back to top
View user's profile Send private message
asimon
l33t
l33t


Joined: 27 Jun 2002
Posts: 979
Location: Germany, Old Europe

PostPosted: Sun Jul 31, 2005 10:49 am    Post subject: Reply with quote

Cinder6 wrote:
Then what's the point of sudo? Why not just use su?

sudo allows you easily to give people the rights to do exactly the administrative tasks they need to do. And this without having to change passwords, groups, etc. everytime when someone changes role or leaves the company. In some environments you never ever want to give people root passwords or give "can do anything" rights. Sudo is very convenient there.

It's not less secure than su. The user account is the weak link in the chain in both cases, su and sudo. If an administrative account (no matter if it uses su or sudo) is compromised then an attacker can generally gain root access through an indirect attack.

Sudo has the advantage to encourage the habit to use sudo for the execution of single commands instead of working in a previleged shell. This is a good thing.

Oh and the common assumption that a root password will be harder to steal than a user's password is wrong. A root password is not automatically more secure than a user password and people who give away user passwords after social attacks will likely give away the root password too.

I fail to see from the people who say sudo is bad how having a root account for interactive work is a good thing or how this is more secure. Especially in big enterprise environments.

The following thread has some interesting posts about sudo: Sudo=Bad Security!, especially #22.
Back to top
View user's profile Send private message
nixnut
Bodhisattva
Bodhisattva


Joined: 09 Apr 2004
Posts: 10974
Location: the dutch mountains

PostPosted: Sun Jul 31, 2005 12:10 pm    Post subject: Reply with quote

Moved from Gentoo Chat to Duplicate Threads
dupe of https://forums.gentoo.org/viewtopic-t-314119.html
_________________
Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered

talk is cheap. supply exceeds demand
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Duplicate Threads All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum