Social Enterprise

Setting the record straight on sudo

Vincent Danen takes exception to some of the criticisms regarding sudo as insecure and unfit for the enterprise. Here is his rebuttal.

I recently read a blog posting that denounced the use of sudo as insecure because of the following (briefly summed up and paraphrased) reasons:

1.      The idea that not using the root account is wrong, using root for everything is fine.

2.      That using sudo for everything provides a false sense of security over performing an action as root directly

3.      That using a user account password to get a root shell is a bad idea

4.      That using a root shell is not dangerous, and that this "grave misunderstanding" came from the idea that running X as root is dangerous

5.      That sudo has very little place in the Enterprise

6.      That relying on sudo is foolish, because it has bugs

7.      That everything should be done from a root shell, and that you should have to know the "uber-secret root password" to get that access

My first reaction to this blog posting was that the author had no idea how to use sudo properly or why you would want to. My second reaction was to give a big thank you to Ubuntu and OS X that, by default, provide a password-less root account and give administrators sudo access to everything, which pretty much leads to these kinds of silly anti-sudo articles.

To begin with, there is nothing wrong with using the root account if it is your system or you're the administrator. Secondly, using sudo instead of a root shell is not more insecure. That's simply ludicrous. The only difference is that with one you require knowing root's password, and with the other you need to know your own password. If you are in the habit of using poor passwords, yes, this could bite you -- but if you are already in the habit of using poor passwords, what's to say that the root password isn't just as bad?

And with systems like Ubuntu or OS X, where you don't have a defined root password, you don't have a choice but to use sudo (or to create the root password yourself but, in the end, the insecurity in all of this isn't the software, it's the end user coming up with poor passwords).

And the reason that people are very much discouraged from using X as root is because if you have a full GUI session as root, chances are you will fire up a browser, or an email client, or some other program that can have devastating effects on the system if compromised. This just makes sense. Running Firefox as an unprivileged user is a million times safer than running it as root, largely because those programs interact with untrusted data all the time.

As for the claim that sudo has no place in the enterprise because it has bugs, that is foolish as well. All software has bugs -- sudo is no exception. Why not a bug in su? Or PolicyKit? Or SELinux? By that argument, no software should be trusted at all. As for the enterprise, sudo is almost a necessity in the enterprise because it provides logging so you can audit which user did what, and when. For instance, using sudo /etc/init.d/httpd status yields the following syslog entries:

Mar 13 21:03:13 hades sudo:   joe : TTY=pts/2 ; PWD=/home/joe ; USER=root ; COMMAND=/etc/init.d/httpd status

whereas with su, using su root -c /etc/init.d/httpd status:

Mar 13 21:04:25 hades su: pam_unix(su:session): session opened for user root by joe(uid=1001)
Mar 13 21:04:25 hades su: pam_unix(su:session): session closed for user root

The difference should be obvious. With sudo, we clearly know what joe did, when, and with what user privileges. With su, all we know is that joe opened a root session. Was it to run a root shell? Execute a command? If so, which command? There is absolutely no auditable information here at all. With sudo, and the ability to tightly delegate commands, you do not have to provide full, unfettered access to the system; you can provide access to exactly what they need. If joe only needs to be able to manage Apache, he does not need full system access as root, to do anything he wants. How this is supposedly more insecure, I have no idea.

Finally, the assumption that you have to use your own password with sudo is wrong again. You can tell sudo to authenticate against a particular user's password instead, by adding to /etc/sudoers the following:

Defaults timestamp_timeout=0,rootpw

Now sudo will always ask for a password, and it will always be root's password.

I really have a problem with the blanket assumptions people make about sudo, especially when they are wrong. Used correctly, it is a fantastic tool. Yes, it has had security problems in the past, but they have always been dealt with quickly (by both the upstream kernel and the Linux vendors providing it). Yes, Ubuntu and OS X use it in a very poor fashion, but their defaults are not sudo defaults.

Unfortunately, they have to use sudo in this fashion because the root users don't get passwords by default. Without configuring sudo as they do, no one would get root privileges on these systems, even those that should have it.

It would be nice if people ranted about things that deserved it: sudo is just a tool, and it is very good at what it does. It is essential in the enterprise where PCI-DSS compliance is required, or any kind of auditing or logging is desired. The problem is when people don't bother reading about its features or think that the defaults provided by one or two operating systems is "the norm" for sudo. It isn't, and sudo shouldn't bear the brunt of the criticism: poor configurations of sudo should.

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

19 comments
pjwvieviwdhy
pjwvieviwdhy

One thing totally neglected by the ranting person and yourself is that sudo doesn't necessarily have to give out root permissions at all. sudo can also offer only posibility to switch to some specific other user instead of root. Also you argued with logging. This doesn't help much with people having the habit to use sudo su - nothing to gain from that point.

ruel24
ruel24

Sudo, itself, is a good idea. However, I'll never feel secure allowing someone to use it with a user password. At the very least, the user should be required to use a separate Sudo password. However, I find Sudo rather annoying to use. I simply get a root shell and do my thing.

yattwood
yattwood

I worked as a SysAdmin some years ago on the the B2 Stealth Program ("I could tell ya, but then I'd have to kill ya"), and even in an environment with _separate_ networks for classified and unclassified systems, security up the wazoo and one of every computer type known to humankind - with the proper controls, the DBA's and SysAdmins used 'sudo' very happily and effectively. In my current position, I'd be out of a job if I could not use 'sudo' - since our data center is outsourced, and the edict from On High is: "Thou Shalt Not Give The Root Password To Non-Outsourcer Personnel" - I have 'sudo' on every UNIX server I support Oracle on, with the exception of the Network Appliance - that I do have 'root' on, because of the nature of the NetApp and because we have a DBA-SysAdmin Agreement regarding the Network Appliance. And we are SOX-audited very stringently, and have not failed any audits in this area - used and audited properly, 'sudo' is a totally acceptable and even preferred tool!

bond.masuda
bond.masuda

you are right about sudo being a useful tool for auditing purposes, which is required for compliance issues in large enterprises; just as you stated. however, as far as I know, there isn't a way to really restrict a user from starting a shell with sudo, unless you specifically define all commands permissible and avoid programs that can spawn a shell (e.g., vi, more->vi->/bin/sh, etc.). once you give any flexibility in how you configure sudo, a knowledgeable user can circumvent the restrictions by finding access to a root shell; then all the logging goes out the window. does anyone know of a way to prevent this? (other than specifically defining every damn command and avoiding things like vi, more ,etc.)

dkmorgan
dkmorgan

While I find sudo to be a good tool in the enterprise to allow non-systems administrators to make root calls, I also find that most enterprises don't put enough restriction on its use. This seems to happen due to either laziness or lack of resources to properly manage the environment. I think any serious mention of sudo and security should include a cautionary note about end user access to running commands like vi, find, or non-root controlled scripts as root. These are all gaping holes in security (not sudo), and it will not be logged. Each of these allow the user to bypass logging and run any command they want after the first logged command. For example, vi allows a person to start a new unlogged root shell. Scripts that aren't root restricted for editing, can allow users to place any command within it, and then later remove them from the script.

greiter
greiter

would you care to elaborate a bit on "Yes, Ubuntu and OS X use it in a very poor fashion..." ?

severian
severian

So many admins have no idea about benefits of using sudo versus operating as root.

Ajax4Hire
Ajax4Hire

Use SUDO and ROOT together I use sudo for short, simple changes and updates that require the root priviledge. For instance, I need to read a log file or check a /boot/grub file to ensure things are setup up correctly. I use root in a bash (and only in bash, no X) when I need to make big changes. For instance, add a user, setup a new HD, run maintenance functions. The root privilege is a convenience for the big task; keeps you from having to prefix every command with sudo. I don't agree with Ubuntu that the root is never good, it has its place and time.

edeloye
edeloye

I agree with everything you said about sudo. It provides a mechanisim to prevent you from shooting yourself in the foot, it is much more obvious what you are doing when you have to type "sudo /some/command" and it gives you a moment to pause and reflect about what you are doing. I have seen seasoned administrators do and rm -rf * as root only to discover they are in the root directory. I have worked to two companies over the last 15 years and at both of then we used sudo for everything. The only reason to log in to the root account is to do an fsck on a broken system.

schwarm
schwarm

The note should have made a bigger point of proper configuration. After all sudo bash has the same effect as su when the configuration is ALL ALL

bblackmoor
bblackmoor

I am not sure what prompted the author to respond to what it clearly the opinion of someone who knows nothing about Unix administration, much less sudo. However, I am glad that the author mentioned the one argument for using sudo which trumps every possible objection: logging. Log files are critical to the successful investigation and prosecution of security incidents. Knowing whose account executed a sudo command is invaluable.

rduncan
rduncan

I use root for everything, if I rm -f *.* in the root directory it's because I'm stupid and not actually thinking about what the hell I'm doing. I'm not arguing about sudo being a great tool for safety and audting I'm just not that paranoid

dkmorgan
dkmorgan

Though I haven't worked with it, I understand that rvim, a restricted version of vim, is configured specifically to stop the usual ways of escaping out of the editing session.

neondiet
neondiet

If you want to log what commands your users and admins are really using you would be better off turning on system auditing to capture success+failed system calls for execl, execve, etc. The advantage of using auditd is that the recorded auid (original login ID) never changes, so you can still track someone even if they su or sudo to invoke a root shell.

neondiet
neondiet

That's what sudo -s is for. It gives you a root shell when you have a lot of root work to do. I strongly prefer sudo and don't like giving the root account passwords out to anyone. It avoids the situation where root account password lists have to be printed and distributed every 3 months, that then sit in people's desks or their bags/wallets. It's just asking for trouble.

flhtc
flhtc

Ubuntu is setup for the masses. Not for admins. With that in mind. It's much safer to say to the masses. Root no good... Sudo good. KIS (Keep It Simple). I do as you.. sudo for small jobs, root for the more in depth jobs. I've been doing this since the mid '80s. Most Ubuntu users haven't a clue. I'm not saying the dumb, just ignorant. Simply a lack of knowledge. In which case. Sudo EOF

aaronjsmith21
aaronjsmith21

I am not sure why the author did this either, but I am glad they did. I did get some useful knowledge from this, even if it was in protest to what happened. I am not condemning your post though, just giving insight to my position. I guess a spark went off to notify others of the real use to a very great tool in our world.

roy.evison
roy.evison

Being informative should never be decried. I think the many woes from the original post were inspired by single users and it is annoying when you have to change settings that are meant for a different set up.Change your own pc and be damned. Perhaps, what is being lost, in the strive towards 'ease of use' is the protection inherent in the previous set up. Roy

Editor's Picks