[NCLUG] Re: Who uses SUDO on production machines?

John L. Bass jbass at dmsd.com
Sun Mar 18 21:36:42 MDT 2007 

Hi Sean,

SUDO is one of those Love-Hate backdoors that's hard to classify as good
or bad, since it's success is highly dependent on the environment and
people using it.

Sean Reifschneider <jafo at tummy.com>
> You can't retract a shared root password without changing it.  With sudo,
> you can retract the root access of one particular individual without having
> to exchange a root password with the remaining admins.  For example, on the
> python.org machines, we have many admins all over the globe, and so this
> can get to be a big deal.

The problem, is that when you retract a sudo password, you are also never
sure that the user didn't install a backdoor. You grant sudo access to users
you trust, and invariably retract the access when trust has been revoked,
leaving the machine potentially root-kit'd in a very cleaver way. This is
even more difficult to clear than an outright compromise, as you can never
clearly identify when the root-kit was installed, and recover from backups
and roll forward.

As an engineering solution, sudo is a hack at best, when compared to removing
selected priv's on an ACL or Capabilities system. With ACL/Capabilities, you
can grant priv's which are clearly revokable, and lack the ability to install
trojans or backdoors with some careful engineering of the priv's.

Depending on the sudo varient, there is also the problem that it "caches"
passwords for a fixed time, opening a window where a priv'd user can walk
away from his console, and have the machine effectively logged in root since
sudo will accept additional commands without a password till it times out.

While not a problem with current linux versions, there have been some interesting
cases where chroot is enabled in user mode, which combined with the ability to
hardlink SUID'd binaries plust "give away files" allowed unpriv'd users to use
sudo as a trojan in a quick and dirty "jail".

It's interactions like that, where security policy in most Linux Distro's is
not clearly negotiated, reviewed, designed and implemented, that makes the
linux "swiss cheese" security architecture problem dangerous with backdoors
like sudo.  It's very difficult to predict what new feature, will leave your
system wide open to a crafty abuse.

> If I were to run a really security critical system, I'd probably set it up
> so that gaining access to the root account wouldn't help, via SELinux.
> Kevin has done this in the past, make the root account just a regular user
> account.  That is a *LOT* of work though.  Most machines are not "security
> critical" to this level.

I certainly agree!!

I've been known to construct secure servers that didn't have ANY command line
function available, not even perl or other script engine, simply to make sure
there was no backdoor available. In other cases I've had console only access
with shells that syslog'd offsite using onetime passwords available by signature
from the security guards desk.

While some IT departments may have problems with this, not even IT staff should
have access to "need to know" data, including management email archives, personel
or client records, payroll data, and other extremely confidential business
records.  Designing systems which are fully auditable and accountable security
wise is a growing business requirement. Thankfully it's not nearly as hard as
it seems, using reasonable security policies.

John

More information about the NCLUG mailing list