LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   how come sudo doesnt make it so anybody can become root? (https://www.linuxquestions.org/questions/linux-security-4/how-come-sudo-doesnt-make-it-so-anybody-can-become-root-760679/)

smeezekitty 10-08-2009 09:28 PM

how come sudo doesnt make it so anybody can become root?
 
if you type sudo bash even a reguler user becomes root
its not a problem because i dont use the multiuser system
but doesnt this defeat the privledge system?

FragInHell 10-08-2009 10:50 PM

Hi Sudo isn't really about becoming root, since once a user uses sudo su - or sudo bash they can do whatever they like and from a system auditing point of view it becomes hard to track down what that user does.
Sudo is designed to give normal users elevated permissions. Exmaple, lets say we have a helpdesk, they need to be able to start and stop apache, under normal conditions they cannot, but we can grant them permission just to run the commands they need to do this task. That way apache is still run as root but the commands are locked down to only those specified by the admin. Good news for the admin as well, now he doesn't get called every time the helpdesk can now do it.
You can create groups of system, users and commands to give better control.
There's more to it of course but thats the basics.

David the H. 10-08-2009 11:33 PM

On most distributions regular users aren't given the flexibility to run whatever they want. sudo is only there so that the administrator can give them the ability to run specific commands under specific conditions, and only after being explicitly configured to allow it. You can't use sudo to run things like bash unless the administrator lets you.

However the developers of Ubuntu and its relatives have decided to use sudo in a different way. It's their belief that users switching to a root console and then leaving it open for protracted periods of time is a bigger overall security risk than simply giving them the ability to administer the entire system with sudo as needed. The fact that you can use it to switch into root isn't the issue for them; they just think it's better to not need to do it.

It's basically a risk trade-off, with different people having different views on what's most important security-wise.

smeezekitty 10-09-2009 12:01 AM

i am not concerned on security and thats part of the reason i dont lie Ubuntu
i just thought sudo was a security hole

anomie 10-09-2009 12:04 AM

I'm an Ubuntu novice, but IIRC after a 9.04 installation, only the account that I created at install time was a full sudoer. I added accounts post-installation, and they were not automatically made sudoers.

The implication to me is that they (Ubuntu team) expect that the initial account will be acting as admin as well.

Wim Sturkenboom 10-09-2009 12:14 AM

Quote:

Originally Posted by smeezekitty (Post 3713054)
i am not concerned on security and thats part of the reason i dont lie Ubuntu
i just thought sudo was a security hole

So you are the actual security hole

avijitp 10-09-2009 12:20 AM

You can always set sudo to behave the way you want it to. You need to configure it.

smeezekitty 10-09-2009 05:49 PM

configurable? neat

David the H. 10-09-2009 10:12 PM

Configurable?

That's what we've been saying from the beginning. Sudo is simply a way for the root user to give other user's permission to run certain commands with elevated permissions, so it certainly is configurable. Highly configurable. In Ubuntu they've simply configured it by default to give the first user complete access to the system (as well as simultaneously disabling the root password), but there's no reason you can't reconfigure it to include or exclude whatever commands and users you want, or even if they need to use passwords or not.

It's all up to what you put in the /etc/sudoers file. Check out the man pages for sudo, sudoers, visudo, and the copious information on the net about it.

avijitp 10-10-2009 03:07 AM

Perhaps, you should be using "visudo" to edit the sudo configurations. Check man pages for quick reference. There are plenty of good guides available in the Google.

Hangdog42 10-10-2009 07:25 AM

Quote:

Originally Posted by anomie (Post 3713056)
I'm an Ubuntu novice, but IIRC after a 9.04 installation, only the account that I created at install time was a full sudoer. I added accounts post-installation, and they were not automatically made sudoers.

The implication to me is that they (Ubuntu team) expect that the initial account will be acting as admin as well.


I wish the *buntus would stop this and just use root and sudo the way they were intended. Sooner or later this sort of behavior is going to cause a huge security breach in the *buntus.

abefroman 10-13-2009 08:49 PM

You should be able to vi /etc/sudoers as well.

Wim Sturkenboom 10-13-2009 10:02 PM

@abefroman
You might already know this, but
Quote:

visudo edits the sudoers file in a safe fashion, analogous to vipw(8). visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later.
From man visudo

abefroman 10-13-2009 10:05 PM

Quote:

Originally Posted by Wim Sturkenboom (Post 3718339)
@abefroman
You might already know this, but

From man visudo

Thanks, and yes, I knew about visudo, never use it though.

avijitp 10-14-2009 07:42 AM

visudo often helps to eliminate some common mistakes that users make while creating sudo rules. It is always advisable to use it. The most adorable feature that I liked about visudo is that it will always tell you about a wrong rule when you want to save and come out of the vi editor.


All times are GMT -5. The time now is 01:09 PM.