Hello everybody
I am currently working on Linux security. And below is my suggestion to enhancing it further.
Please go through it and give me a feedback as i am going to mail it to lkml.org soon.

Current basic Linux(kernel 2.6.25) security mainly lies on (age old) root password
and permissions associated with file/folders. These are ok till now but with the increasing number of popularity of Linux and rootkit attack reports we have to re-think
about the basic security scheme provided by Linux.

Now, I have something to say about it and consequently have suggestions.

Flaws(well not actually flaws, but should i say instead ?) in the security:-
1> the root password is the only one thing between a cracker and Linux system. If a
cracker some how get this password, he can do anything to the system. At that time,
there would be no difference between Linux and a popular closed source obscure os
(we hate!!).

2> "sudo" command is the weakest security point in Linux. If an insane user or a
cracker somehow manage to get into the sudoers list they just have to supply
their own login password and the door is open to them. That really sucks.
Administrator can disable it but thats not a solution.

Selinux is impressive but it does not provide reasonable solution to above said
problems.

My Suggestions:-
So, to secure linux further we have to modify following things :-

1> There should not be any "sudo" command(this requires only one password to get full
access to the system!!!). I know that root has to grant it to some users. But its
not reliable.

2> Disable "su -" or "su -root" command for users other than root. That is, the value
of $USER has to be "root" and thats possible only when one login(purely) as root.
That means we don't want any sympathetic or pseudo root user.

3> There should be another password for root(and only root) to get full access to
the system. Let us call it "System Password" and it should be supplied to the
system manually like su when prompted. Well we do have faith on the
administrator(root) but we don't want anyone who somehow cracked the root password
to have full control of the system.

Now what about this new "System Password"? This password and full system access should
be granted to root only. So basically the root user has to remember two passwords -
1> the root password i.e the login password for root user
and
2> the system password.

Using the first password a root user can login and do some basic system works
which are comparatively not so critical in terms of security. And to do
some real thing in the system(e.g system upgrading, rebooting etc.) the root is
required to get authenticated by means of system password.

To implement this there should be another bit in the file/folder permission. This bit
is turned on when the associated file/folder is critical to the system. To turn the
bit on/off or to manipulate this file/folder root has to satisfy system by using the
system password.

Root can grant other users to have access to system "partially" but the users can not
have access to full system and will not be prompted for system password. I mean to
say that authorized users can login as pseudo root using "su" command but they cant
use "su -"(or "su -root") command.

Now if a virus(or malware) get in(accidentally) the system at the time when root
has logged on, to infect the critical area of the system the virus has to have the
system password and has to give that "manually" which is obviously not possible. And
an insane cracker might have got the root password but still he has got to have the
system password.

The system password -
1> must be at least 10 characters long which is too difficult to guess or even decrypt
2> must not be same as root login password
3> must be alphanumeric
4> and should be case sensitive.

Pros of this security scheme -
1> A common user can not get full access to the system.
2> There may be virus or other malware intrusion in the system while root has logged
on but they cant do harm because they yet to have full access to the system.
3> Root user can comfortably surf web, run ssh(of course it requires system password
again to run the system services) etc. without having to worry about intrusion or
infection.

Cons of this scheme -
1> To some desktop users it would be annoying.
2> System administrators can not automate tasks which are critical to security. And
yes, they might have to have some memory power to remember two passwords.

Although there are some cons, we should not compromise the security with a system for
security is the one of the main features of Linux to boast off(to love it like me).

So what do you think?

You really want to know? Generally, not much.

OK, 'brute force' attacks on passwords can be an issue, but then the thing seems to be to detect and disable them before (statitistically) they can do any harm.

This isn't often done, but is quite possible without changing the basic system.

(I'd like to disable remote logins as root, too. But maybe I'm paranoid. But maybe that's a good thing.)

I think that's just plain wrong. I think, historically, flawed applications that allow privilege escalation are the weakest point.

IANASE, but I don't know of any sudo exploits apart from 'stupidity in misconfiguring and handing out passwords'.

While their might be some mileage in disabling 'sudo', I don't understand this 'you can only become root if you are already root' idea.

Firstly, if I have understood you correctly, it has an obvious logical flaw.

Secondly, seeing who (which users try to / succeed in su-ing to root has a security value. I would say, NEVER allow anyone to log in as root, ALWAYS force them to log in as a user and 'su' to root, for security reasons.

- it can give you a list of who tries to su to root
- you need two passwords (rather than one) to become root

Well, assuming the virus (it probably isn't a virus, but we'll let that distinction pass) has a password guessing kind of function, the 'has to have the system password part falls away (assuming it can ,ake enough guesses, and you don't want to be unlucky, even if it has a restricted number of guesses).

The piece of malware won't give the password manually, obviously, but I'm not sure what makes you think that this is an absolute requirement.

As salasi has said, your logic is flawed. For instance:
But to get into the sudoers file, they have to be root already (be it via a guessed password, vulnerable network daemon or whatever). If you can put yourself into the sudoers file, you already own the system.

I just don't understand this bit. Isn't this what the sudoers file does. Allow certain users to run certain programs as root (specified in the config)?

This just sounds like 'never run (fill in name of program here) as root unless you have to. Unlike on Windows, system compromises don't occur because the user was browsing the web as root/Administrator (well I suppose they do, but it's not a flaw in the unix security model, it's a flaw in the user). They occur due to bugs in services running as root. There's no user interaction. The point is that (in a properly configured system), these services HAVE to be running as root to function properly (they need to listen on privileged ports, read/write to devices etc). These services/programs can't input a password at the console, so in your model they wouldn't be able to do their job.

If I were you, I'd think a little more about what you're proposing, and you'll see why it's flawed.

Thanks beadyallen and salasi for giving such a powerful feedback
Yes I can see flaws in my proposal right now. But could you help me giving some
suggestions to improve this scheme. I really want this scheme to be inseparable
part of Linux kernal as some Linux distros dont turn on SELinux by default for ease
of novice desktop users. But this might lead to cause some serious vulnerabilities
in Linux.
Please give some solid suggestions.
Thanks in advance

Offering viruses and rootkits as argument shows you should investigate better what Real Life risks threaten a GNU/Linux system in practice. What we combat are remote and local vulnerabilities in the kernel and userland software, badly or misconfigured access restrictions, services or whole systems, lagging updates. Why your proposal is not going to protect GNU/Linux against all of that is already mentioned. Complacency might be, but viruses certainly are not our concern, they are in the domain of the Other OS. And have you tried running the ten most used rootkits of the past muillennium in your recent 2.6.25 kernel? About restricting root access, and next to what SELinux provides, right now it is possible, without requiring anything LSM-related, to take away some or all root rights using "Linux capabilities". For instance take away the right capability and not even root will be able to reboot the machine, only physical access to powercycle it will work.

With all due respect, but your posts are riddled with assumptions, a lack of understanding security in practice, lack of or misinformation and questionable motives. Vulnerabilities do not occur because of some distributions not turning on SELinux. Vulnerabilities either exist or they do not. SELinux provides additional restrictions on top of Discretionary Access Rights and it can protect the system from some vulnerabilities being exploited. Your idea of a separate "system password" somehow reminds me of roles like SELinux uses, and the separation of roles reminds me of MLS systems, where you could have separate accounts for auditing, maintenance operations and such. Maybe research LSM uses like SELinux and GRSecurity a bit first? Unless reinventing wheels is your thing of course...

Maybe you don't have time to do research, after all you are only "currently working on Linux security" and maybe you "really want this scheme to be inseparable part of Linux kernal" regardless of what it offers, but I do not think your proposal can be helped with any suggestions to "make it work". I think you want to go back to the drawingboard, read, experiment and as a result of that come to understand why what you propose will not enhance Linux security. I'm confident that if you can provide insights that truly enhances security your fellow LQ members are willing to discuss things but in the meantime, please, do some research first.

Moved: This thread is more suitable in Linux - Security and has been moved accordingly to help your thread/question get the exposure it deserves.

Not at all, really. We take a layered approach to security.

If the only thing between Joe Cracker and pwnership of your Linux box is a password, then I'd suggest hitting the books again. Nice that you are beginning to think about security, though.