LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-08-2009, 09:28 PM   #1
smeezekitty
Senior Member
 
Registered: Sep 2009
Location: Washington U.S.
Distribution: M$ Windows / Debian / Ubuntu / DSL / many others
Posts: 2,339

Rep: Reputation: 231Reputation: 231Reputation: 231
how come sudo doesnt make it so anybody can become root?


if you type sudo bash even a reguler user becomes root
its not a problem because i dont use the multiuser system
but doesnt this defeat the privledge system?
 
Old 10-08-2009, 10:50 PM   #2
FragInHell
Member
 
Registered: Sep 2003
Location: Sydney Australia
Distribution: Redhat, Centos, Solaris, Ubuntu, SUSE
Posts: 282

Rep: Reputation: 45
Hi Sudo isn't really about becoming root, since once a user uses sudo su - or sudo bash they can do whatever they like and from a system auditing point of view it becomes hard to track down what that user does.
Sudo is designed to give normal users elevated permissions. Exmaple, lets say we have a helpdesk, they need to be able to start and stop apache, under normal conditions they cannot, but we can grant them permission just to run the commands they need to do this task. That way apache is still run as root but the commands are locked down to only those specified by the admin. Good news for the admin as well, now he doesn't get called every time the helpdesk can now do it.
You can create groups of system, users and commands to give better control.
There's more to it of course but thats the basics.
 
Old 10-08-2009, 11:33 PM   #3
David the H.
Bash Guru
 
Registered: Jun 2004
Location: Osaka, Japan
Distribution: Debian + kde 4 / 5
Posts: 6,849

Rep: Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024
On most distributions regular users aren't given the flexibility to run whatever they want. sudo is only there so that the administrator can give them the ability to run specific commands under specific conditions, and only after being explicitly configured to allow it. You can't use sudo to run things like bash unless the administrator lets you.

However the developers of Ubuntu and its relatives have decided to use sudo in a different way. It's their belief that users switching to a root console and then leaving it open for protracted periods of time is a bigger overall security risk than simply giving them the ability to administer the entire system with sudo as needed. The fact that you can use it to switch into root isn't the issue for them; they just think it's better to not need to do it.

It's basically a risk trade-off, with different people having different views on what's most important security-wise.

Last edited by David the H.; 10-08-2009 at 11:35 PM.
 
Old 10-09-2009, 12:01 AM   #4
smeezekitty
Senior Member
 
Registered: Sep 2009
Location: Washington U.S.
Distribution: M$ Windows / Debian / Ubuntu / DSL / many others
Posts: 2,339

Original Poster
Rep: Reputation: 231Reputation: 231Reputation: 231
i am not concerned on security and thats part of the reason i dont lie Ubuntu
i just thought sudo was a security hole
 
Old 10-09-2009, 12:04 AM   #5
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
I'm an Ubuntu novice, but IIRC after a 9.04 installation, only the account that I created at install time was a full sudoer. I added accounts post-installation, and they were not automatically made sudoers.

The implication to me is that they (Ubuntu team) expect that the initial account will be acting as admin as well.
 
Old 10-09-2009, 12:14 AM   #6
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Ubuntu 12.04, Antix19.3
Posts: 3,794

Rep: Reputation: 282Reputation: 282Reputation: 282
Quote:
Originally Posted by smeezekitty View Post
i am not concerned on security and thats part of the reason i dont lie Ubuntu
i just thought sudo was a security hole
So you are the actual security hole
 
Old 10-09-2009, 12:20 AM   #7
avijitp
Member
 
Registered: May 2005
Location: India
Distribution: FC11, Debian/Ubuntu, RHEL, Solaris, AIX, HP-UX
Posts: 161

Rep: Reputation: 32
You can always set sudo to behave the way you want it to. You need to configure it.
 
Old 10-09-2009, 05:49 PM   #8
smeezekitty
Senior Member
 
Registered: Sep 2009
Location: Washington U.S.
Distribution: M$ Windows / Debian / Ubuntu / DSL / many others
Posts: 2,339

Original Poster
Rep: Reputation: 231Reputation: 231Reputation: 231
configurable? neat
 
Old 10-09-2009, 10:12 PM   #9
David the H.
Bash Guru
 
Registered: Jun 2004
Location: Osaka, Japan
Distribution: Debian + kde 4 / 5
Posts: 6,849

Rep: Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024
Configurable?

That's what we've been saying from the beginning. Sudo is simply a way for the root user to give other user's permission to run certain commands with elevated permissions, so it certainly is configurable. Highly configurable. In Ubuntu they've simply configured it by default to give the first user complete access to the system (as well as simultaneously disabling the root password), but there's no reason you can't reconfigure it to include or exclude whatever commands and users you want, or even if they need to use passwords or not.

It's all up to what you put in the /etc/sudoers file. Check out the man pages for sudo, sudoers, visudo, and the copious information on the net about it.
 
Old 10-10-2009, 03:07 AM   #10
avijitp
Member
 
Registered: May 2005
Location: India
Distribution: FC11, Debian/Ubuntu, RHEL, Solaris, AIX, HP-UX
Posts: 161

Rep: Reputation: 32
Perhaps, you should be using "visudo" to edit the sudo configurations. Check man pages for quick reference. There are plenty of good guides available in the Google.
 
Old 10-10-2009, 07:25 AM   #11
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Quote:
Originally Posted by anomie View Post
I'm an Ubuntu novice, but IIRC after a 9.04 installation, only the account that I created at install time was a full sudoer. I added accounts post-installation, and they were not automatically made sudoers.

The implication to me is that they (Ubuntu team) expect that the initial account will be acting as admin as well.

I wish the *buntus would stop this and just use root and sudo the way they were intended. Sooner or later this sort of behavior is going to cause a huge security breach in the *buntus.
 
Old 10-13-2009, 08:49 PM   #12
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Rep: Reputation: 55
You should be able to vi /etc/sudoers as well.
 
Old 10-13-2009, 10:02 PM   #13
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Ubuntu 12.04, Antix19.3
Posts: 3,794

Rep: Reputation: 282Reputation: 282Reputation: 282
@abefroman
You might already know this, but
Quote:
visudo edits the sudoers file in a safe fashion, analogous to vipw(8). visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later.
From man visudo
 
Old 10-13-2009, 10:05 PM   #14
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Rep: Reputation: 55
Quote:
Originally Posted by Wim Sturkenboom View Post
@abefroman
You might already know this, but

From man visudo
Thanks, and yes, I knew about visudo, never use it though.
 
Old 10-14-2009, 07:42 AM   #15
avijitp
Member
 
Registered: May 2005
Location: India
Distribution: FC11, Debian/Ubuntu, RHEL, Solaris, AIX, HP-UX
Posts: 161

Rep: Reputation: 32
visudo often helps to eliminate some common mistakes that users make while creating sudo rules. It is always advisable to use it. The most adorable feature that I liked about visudo is that it will always tell you about a wrong rule when you want to save and come out of the vi editor.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
su to root works sudo doesn't magnum81 Linux - Security 4 04-22-2006 08:29 PM
make sudo ask for a password andy753421 Linux - Security 1 01-13-2005 07:32 PM
How to hack sudo to become root lewkh Linux - Security 5 01-08-2005 06:20 AM
Sudo, su and root lesleyb Linux - Security 3 10-18-2004 01:36 PM
SUDO as *non-root* user spratty Linux - Newbie 3 05-19-2004 03:35 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration