Misuse of sudo(8) and sudoers(5)
Posted 10-07-2016 at 06:46 AM by Turbocapitalist
The utility sudo(8) runs programs as another user. Frequently, that other user is root, but it does not have to be, the utility can also be used to downgrade privileges. Often it is mis-used to provide full root access to a group of users in place of su(1). However, sudo(8) was developed to give selective access to machines, following the principle of least privilege. It can achieve a very fine granularity of access, even allowing just specific programs or specific options for specific programs. It is a good alternative to handing out the root password, gives users some control, and can help beginning system administrators get started.
In general, it limits the window of opportunity for abuse and can also be set to time out after minutes or immediately. It is highly configurable in regards to programs, hosts, groups, times, and so on. It is important to note that the approach here can only be to add privileges. That is to say, make a white list of approved capabilities. With that in mind, trying to subtract privileges instead will not work, ever, and is trivial to circumvent.
With the right configuration it can make selected programs available, either by per host, or per group and even limit to only selected options. It provides verbose logging of activities and an audit trail of who did what and when. This is especially important for shared accounts like root, but even for other accounts such as one for a central databases.
What accounts can or can't do using sudo(1) is all in how the configuration file, sudoers(5), is set up. That file contains a list of which users and groups may do what, down to environment variables and command parameters. Here, for example, anyone in the group sysadmin can schedule a shutdown or reboot of the machine:
With nothing after the program path and name in the configuration file, the utility shutdown(8) can run as the superuser and can be launched with any of its options, including any message. However, the utility updatedb(8) can only be run without parameters because of the empty quotes.
Here are some lines from the configuration file which allow anyone in the group webmaster to start, stop, or reload the web server:
Note that nothing there in the configuration is set to allow editing of files using sudo(8). That should instead be managed by using the right group permissions. And between the two, permissions and sudoers(5), there is enough to allow operation of a web service without giving away the shop.
Here is an example using the simple patterns available where accounts in the group admin can install or remove packages found in the official repositories, or generally use or abuse the package manager:
The list consists of two types of entries: aliases and rules. For what it's worth, the rules are written in a grammar known as Extended Backus-Naur (ENBF) e.g. symbol ::= definition | alternate1 | alternate2 . The configuration file, sudoers(5), has its own manual page so be sure to look there first.
For what it's worth, the sudoers(5) file should be edited only with visudo(8). It checks the syntax of the file before saving it so as to reduce the likelihood of getting locked out. And speaking of editing, the alias sudoedit should be used if granting the ability to edit a file is needed. It makes a copy of the target file, then launches the editor of choice as the regular user, and once the editing is complete copies the changed file over the original. That prevents shell escapes among other problems. So, rather than allowing use of vi(1) or nano(1), use sudoedit instead and let that call vi(1) or nano(1) for editing. However, rather than reaching for sudoedit first, group permissions should be used to allow file access whenever possible.
Graphical programs should not be launched carelessly as root with sudo(8) because some environment variables will still point to your home directory and any files created there in the user's home directory will be created with root ownership. That can mean, in some cases, that the normal account can then no longer use those same programs. The way around that problem is to launch sudo(8)with the -H option to force using root's own home directory.
But as a rule of thumb, if it is a graphical program, it should not be run as root. There is always a safer way. For example, using bash(1) the utility wireshark(1) can capture the output from tcpdump(8) using process substitution so it does not have to run as root.
Though in many cases with wireshark(1) it might be better to read a file of captured packets made by using tcpdump(8) first.
As of the time of this writing, there is at least one very good book on sudo(8), Sudo Mastery: Access Control for Real People by Michael W. Lucas. So for in depth coverage, look there. The project web site for sudo(8) itself is at http://www.sudo.ws/
In general, it limits the window of opportunity for abuse and can also be set to time out after minutes or immediately. It is highly configurable in regards to programs, hosts, groups, times, and so on. It is important to note that the approach here can only be to add privileges. That is to say, make a white list of approved capabilities. With that in mind, trying to subtract privileges instead will not work, ever, and is trivial to circumvent.
With the right configuration it can make selected programs available, either by per host, or per group and even limit to only selected options. It provides verbose logging of activities and an audit trail of who did what and when. This is especially important for shared accounts like root, but even for other accounts such as one for a central databases.
What accounts can or can't do using sudo(1) is all in how the configuration file, sudoers(5), is set up. That file contains a list of which users and groups may do what, down to environment variables and command parameters. Here, for example, anyone in the group sysadmin can schedule a shutdown or reboot of the machine:
Code:
%sysadmin ALL=(root:root) /sbin/shutdown, \
/usr/bin/updatedb ""
Here are some lines from the configuration file which allow anyone in the group webmaster to start, stop, or reload the web server:
Code:
%webmaster ALL=(root:root) /usr/sbin/service apache2 start, \
/usr/sbin/service apache2 stop, \
/usr/sbin/service apache2 reload
Here is an example using the simple patterns available where accounts in the group admin can install or remove packages found in the official repositories, or generally use or abuse the package manager:
Code:
%admin ALL=(root:root) /usr/bin/apt-get update, \
/usr/bin/apt-get install [A-Za-z0-9][A-Za-z0-9-]*, \
/usr/bin/apt-get remove [A-Za-z0-9][A-Za-z0-9-]*, \
/usr/bin/apt-get autoremove
For what it's worth, the sudoers(5) file should be edited only with visudo(8). It checks the syntax of the file before saving it so as to reduce the likelihood of getting locked out. And speaking of editing, the alias sudoedit should be used if granting the ability to edit a file is needed. It makes a copy of the target file, then launches the editor of choice as the regular user, and once the editing is complete copies the changed file over the original. That prevents shell escapes among other problems. So, rather than allowing use of vi(1) or nano(1), use sudoedit instead and let that call vi(1) or nano(1) for editing. However, rather than reaching for sudoedit first, group permissions should be used to allow file access whenever possible.
Graphical programs should not be launched carelessly as root with sudo(8) because some environment variables will still point to your home directory and any files created there in the user's home directory will be created with root ownership. That can mean, in some cases, that the normal account can then no longer use those same programs. The way around that problem is to launch sudo(8)with the -H option to force using root's own home directory.
Code:
$ sudo -H /usr/sbin/gparted
Code:
$ wireshark -k -i <( sudo tcpdump -lqi eth0 -w - "not port 22" )
As of the time of this writing, there is at least one very good book on sudo(8), Sudo Mastery: Access Control for Real People by Michael W. Lucas. So for in depth coverage, look there. The project web site for sudo(8) itself is at http://www.sudo.ws/
Total Comments 6
Comments
-
I don't have much to say other than this was a nicely written piece on something many of us use, and likely not very effectively at that.Posted 10-07-2016 at 07:44 AM by goumba 
-
Excellent.
Aside: One of my pet peeves is the creepy sudo fetish of the *buntus, which seems to have persuaded many that using su or (gasp!) logging in as root so as to do administrative tasks are somehow inherently insecure. But I'm just a grumpy old man.Posted 10-07-2016 at 02:48 PM by frankbell
-
Excellent blogpost. Well done!
I echo frankbell's grumpyness on this topic. Misuse of 'sudo' is rife and I mostly blame Canonical/Ubuntu for setting people a bad example.Posted 10-07-2016 at 03:57 PM by GazL
-
Thanks for the comments!
It took me longer to write than I'd care to admit. When to allow or disallow su(1) isn't in there because I ignored it on purpose because the Lucas book covers that pretty well. And I left out speculation on the directions some of the distros risk heading if sudo(8) becomes perceived as just a longer way of writing su(1), but that is what I want to head off.
I agree, mostly, about the *buntus (and Linux Mints and whatevers), and it is actually their defaults that finally motivated me to write the post. It is a big enough topic that it'd be worth it's own post, though I don't think I can cover enough use-cases myself.
About remote root logins, allow me to disagree at least partially. I'd rather not have to worry about the validity of remote root logins especially if there are any roadwarriors to deal with. So let all direct attempts on root be invalid, but have the intermediate step of a relatively unprivileged user login to allow quick identification for accountability. When something is changed as root, there are usually is usually important information that needs to be communicated. In cases where full root access it accepted, it is essential to know who logged in as root and why. Also as one scales up in speed, quantity, or pressure, it becomes increasingly important to limit the possibility for chaos.
Back to sudo(8), to illustrate what is appropriate for the default user, the following is for discussion.
Or whatever is the graphical equivalent for "apt-get". I'll have to look into that.Code:%sudo ALL=(root:root) /usr/sbin/visudo "", /usr/bin/apt-getPosted 10-08-2016 at 01:23 AM by Turbocapitalist
-
I guess the closest would be synaptic(8).Quote:Or whatever is the graphical equivalent for "apt-get". I'll have to look into that.
Posted 10-08-2016 at 06:51 AM by goumba
-
For those who prefer talks given at meetings there is also an interesting video of Michael W. Lucas:
http://blather.michaelwlucas.com/archives/2266Posted 10-19-2016 at 11:45 AM by JZL240I-U
