Sudo: Windowsifying unix, step by step!
Like many people interested in bringing computer security awareness to the public at large, some eight years ago I was thrilled to get acquinted with sudo. A great tool for giving specific admin rights to specific users in a very granular way, with great semantics… And allowing for a degree of flexibility much higher than my needs, honestly. I think it was the Canonical crew who first thougt of using it backwards, “solving” (for some definition of solution, of course) the long-known problem that desktop users cannot be bothered to understand they are using a normal account which is, for their own personal security, completely separated from the priviledged account. So, in short, Ubuntu uses a passwordless sudo to grant users (at least I understand it is limited to the first system user, am I right?) access to whatever and whatnot… And most users seem to like this. Yes, the same way they like Windows: Because it is the no-brainer solution. Now, give a person with no brains some choices… Guess which choice they will pick. Now, it’s assumed by most semi-newbie Linux users that sudo basically means “go ahead”. I have tried to get this point across to people complaining that Debian ships a b0rken sudo because it is not basically a ALL ALL = NOPASSWD: ALL So, as it is currently used… I do feel sadness: Unix systems tend to Windowsification, where real administrator privileges are just a matter of asking whether you are sure. Assuming single, local users for local machines. [update] Oops! lots of comments explaining my world-view is somewhat flawed… Anyway, I’ll reply to the comments themselves.
Comments
Anonymous 2008-03-20 00:03:54
Oh well. At least you will
Oh well. At least you will understand what policykit is for. Took me a while to figure it out.
I am bored right now and trying to wear myself out so I can sleep, so forgive me if you already know all this sort of stuff:
Say you have a task that normally requires root rights to accomplish.. say updating your OS with the latest security patches.
Right now, say your using Ubuntu, your going to use something like Synaptic to do that. Well synaptic needs root rights to do that… so that means you’ll end up using gtksu (or gtksudo or whatever) to do that in a graphical fasion. That means your giving root rights to all of GTK and everything that synaptic uses and every other X application that can send any sort of data to synaptic.
That’s a lot of code your handing over root rights to. Lots of problems that can go wrong, lots of holes your openning up for attackers.
So with policykit and dbus you’d be able to replace synaptic with a background service that is in charge of doing updates. That way you end up with a nice graphical front-end running with only user rights, it talks to the daemon via dbus and the daemon bases it’s decisions on wheither or not to listen to the user by policykit’s text configuration files.
That way instead of having the entire code base from dpkg, X, GTK, and all that on up running as root.. you can concentrate hardenning the dbus interface for that daemon (and hopefully most of that code will be in lovely libraries that are heavily audited and kept simple). You can then have mushy GUI code on one side of the divide and mushy root-running code on the other. Complete privilege separation with everything nicely compartmentalized and protected by the normal unix-y coarse grain permission controls.
Now with modern operating systems updating the system is one of those tasks that need to be done on a day-to-day basis. Implementing this correctly with policykit/dbus will give a nice gui to ‘normals’ and eliminate a common use of the root account for even more advanced users.
Wouldn’t it be nice to be able to perform all tasks commonly associated with a Desktop with never having to use sudo, root accounts, or setuid root permissions?
Next step after that would be, I figure, to using some sort of role-based access control for locking down user accounts against potential malicious data exploiting weaknesses in ‘external facing’ (browsers, voip, email, etc) to get access to user accounts or user’s data on user’s accounts.
In defense of Ubuntu on a single-user (say your typical home user) desktop system the most important data is stored in a regular user account. So defending root in that sort of environment is kinda pointless from that point of view. Might as well store /etc/shadow in plain text with 777 permissions for all the help it’s going to do for me when I (a typical lazy user) store the passwords to my online banking in my browser and somebody hacks my account.
Un-windowing Linux desktop sounds much better. :)
Anonymous 2008-03-20 00:17:54
Sudo is a smarter way to get
Sudo is a smarter way to get root access than a straight up su. For one, its logged. It also encourages you to only run one command at a time, while su by default kicks you into a shell.
Anonymous 2008-03-20 00:58:24
I actually remember the time
I actually remember the time when SuSE still warned not to install sudo because of major security flaws.
Well, let’s wait for the first Linux worm now. But hey, if it is well done it will be way more powerful than everthing Windows ever produced.
Anonymous 2008-03-20 05:35:55
Do you have any idea what
Do you have any idea what you are talking about? Here is the default sudoers on Ubuntu:
root ALL=(ALL) ALL %admin ALL=(ALL) ALL
Only those users delegated as administrators are in the admin group.
Yay for elitist snobs.
Bashtoni 2008-03-20 00:45:57
Have you actually used Ubuntu?
Default /etc/suoders from Ubuntu:
User privilege specification
root ALL=(ALL) ALL
Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
Chris Jones 2008-03-20 01:21:23
Sudo for root access is
Sudo for root access is something that Ubuntu copied from OSX. It makes lot of sense for single user single machines (which is the market Ubuntu is aimed at).
Christoph Langner 2008-03-20 03:21:06
You are wrong
Ubuntu doesn’t use a passwordless sudo. The user which is created during setup is added to the admin group. By authenticating himself via his own password,18 root rights are granted. It’s the same behaviour like debian, when you don’t enter a password for root.
jordi 2008-03-24 13:01:00
Less is More
Less is More If you ask your users less questions (passwords, remember user accounts, understand root account, etc) they will be more satisfied
julioams 2008-03-20 16:41:38
es el precio
Es el precio que hay que pagar por tratar de robarle usuarios a un sistema operativo mediocre (bonito, pero mediocre, aunque suene a Troll). Porque lamentablemente al usuario domestico le interesa un pepino la seguridad, solo quiere que funcione con el menor esfuerzo posible.
Jussi Kukkonen 2008-03-20 02:31:32
is this a new development?
Ubuntu uses a passwordless sudo
I don’t see that on my machines, and I think I have both the oldest supported release and the newest release installed. On both systems sudoers basically just says: “%admin ALL=(ALL) ALL” and I don’t remember tweaking that…
Is this a new “feature” in Hardy or are you mistaken?
jw 2008-03-20 04:46:37
admin group members have sudoer rights
...
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
...
The first user setup on the system is, by default, put into the admin group. Subsequent users need to be deliberately added to the admin group.
So, there is a Windows-ishness to this, but additional users are added with more deliberateness and there is no back-door ASP.net or “guest” account that can wreak havoc.
Honestly, this is one thing I dislike about Ubuntu. I came from Fedora after a bit of research into what distro I finally wanted to settle on; and once upon a time I worked with Solaris daily. Fedora has a “root” account that “sudo” things must be done as. However, I do think that is a bit “arcane” and “esoteric” for most users who are trying to be converted to Ubuntu as they are wooed away from Windows.
The nature of the “sudo” command should be part of a new user’s education, in my opinion.
Kartik Mistry 2008-03-20 01:11:55
Not a passwordless sudo
Hi Gunnar,
Ubuntu doesn’t ship passwordless sudo access. I have confirmed with some friends :)
Lloeki 2008-03-20 02:15:38
passwordless?
“Ubuntu uses a passwordless sudo to grant users” Where the hell did you see it being passwordless? cat /etc/sudoers on my xps m1210 freshly gutsy powered for being sold gives me:
%sudo ALL=NOPASSWD: ALL
%admin ALL=(ALL) ALL
when creating a user graphically you don’t even have the sudo group possibility. only the admin group is selectabe, under the cover of ‘administrer le système’ (french here, and lazy to LC=).
Marius Gedminas 2008-03-20 06:42:12
Passwordless?
Here’s Ubuntu’s default /etc/sudoers (with comments stripped):
Defaults !lecture,tty_tickets,!fqdn root ALL=(ALL) ALL %admin ALL=(ALL) ALL
Where do you see “NOPASSWD”?
Mark Brown 2008-03-20 01:43:44
The Ubuntu sudo setup isn’t
The Ubuntu sudo setup isn’t passwordless - it requires that you enter your password before it grants access (it does have the timeout feature but that’s not such a big deal). The passwordless bit is that the root account is locked - there is no password for it, but you do need the password of the first regular user by default
Mark Brown 2008-03-20 01:47:40
(Actually, I don’t know what
(Actually, I don’t know what the live CD does, it may well just use passwordless since obviously there is no per-user password then - but then the situation when you’re running a live CD is totally different.)
Matthew Garrett 2008-03-19 23:41:06
No?
It was actually Apple who introduced the idea of granting sudo rights to administrative users by default, and not bothering with a root password. But neither setup is passwordless - here’s the default Ubuntu sudoers:
User privilege specification
root ALL=(ALL) ALL
Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
Note the lack of any NOPASSWD.
Mike 2008-03-21 05:28:29
lol@ubuntu replies Ok, I
lol@ubuntu replies
Ok, I think after the first comment we get it. The config is not passwordless.
Thanks for all the fish, mike
muep 2008-03-19 23:45:23
It’s not passwordless
Ubuntu’s sudo is not configured to not ask for a password. Instead, it asks for the users own password. Sudo then remembers for 15 min or so that the user has recently authenticated himself, so that he can enter multiple privileged commands with only one password.
Onkar 2008-03-20 01:15:13
I am not sure why you feel
I am not sure why you feel that Ubuntu has a ‘passwordless sudo’.
Following are my observation regarding sudo in Ubuntu since 4.10 version. I haven’t seen any deviation in last 3 years.
- Only first user created while installation is a ‘sudoer’.
- No other user created after that is sudoer by default.
- When a sudoer does ‘sudo command’ or ‘gksudo command’ he is asked for his own password.
- There is password caching in place but the time is 5 minutes. If there is a gap in two ‘sudo command’ attempts, one will have to enter password again.
If you think that at some point Ubuntu has behaved differently from the above then please file a bug.
Note: I am just one of the many Ubuntu users and don’t represent Ubuntu core development team or Canonical in any way.
pabs 2008-03-20 02:58:32
insecure?
How terribly insecure! least they could do is remove the NOPASSWD.
Pharao 2008-03-20 00:36:17
>Ubuntu uses a passwordless
Ubuntu uses a passwordless sudo That’s not quite right. You have to enter you user account password.
I never understood why everyone was happy about sudo. First thing I did when I have seen a Ubuntu system was setting up a root account. If I want to change some settings I switch to root. If I don’t want to change something on my system I don’t need the privileges. Worked 6-7 years for me, so why changing a working solution?
Piotr 2008-03-20 01:11:09
Quote: Ubuntu uses a
Quote: Ubuntu uses a passwordless sudo to grant users (at least I understand it is limited to the first system user, am I right?) access to whatever and whatnot…
Correction 1: Default Ubuntu uses sudo with the USER PASSWORD so it is not PASSWORDLESS.
Correction 2: Any user can be declared a sudoer.
Richard James 2008-03-20 02:03:28
I’m sorry but I don’t see your point
I used Slackware for many years before I tried Ubuntu and I don’t understand what you are saying. In Slackware to do things as root I use su and I have to type in the root password which I chose. In Ubuntu I use sudo and I have to type in my password which I chose. In Slackware I can make the passwords blank but in Ubuntu PAM forces me to have a password.
I don’t see how this system is Windowsifying Linux at all. It is the same process we have used from the beginning. If you want to administrate your machine you need to supply a password.
Maybe you could explain how “using sudo in Ubuntu is backwards” better because I can’t see what you are talking about.