Quick and dirty: why sudo is bad for security

I always hated sudo. It’s like trying to fix a tyre with a chewing gum, close eyes and hope it works.
Just a quick and dirty, straightforward explanation why it is bad for your systems’ security.
Let’s say you have a password-less ssh keypair attached to a remote user allowed to run anything as root through prefixing commands with “sudo”. *cough* this is the default setup for any Amazon EC2 instance running Amazon Linux AMIs (and also Ubuntu AMIs I guess, and perhaps even Fedora ones?)
What happens if your keypair slips out, gets leaked somehow or somebody steals it from your hard drive? The result is simple, the attacker automatically gains root access anywhere you have the above setup.
That’s quite dangerous, especially if you’re paranoid. Funny enough, many distros are forcing users to use sudo against their will, in a password-less setup.

Of course, this also happens in the unlikely (ahaha) case where your user account gets compromised. Having two levels of passwords is always better than one.

sudo FTL!

About lxnay

the creator of Sabayon Linux, Entropy Package Manager {Eit, Equo, Rigo}, Molecule release media buildsystem, Matter Portage buildbot/tinderbox and only God knows what else...

11 responses to “Quick and dirty: why sudo is bad for security

  1. Sorry, do not agree.

    Nothing can prevent silly users doing silly things.

    First step is to login to the target system. If the keys are not password protected, it does not mean that keys are bad. Second is to execute sudo with a command and you need a password for executing the command.

    So, you have two different authorization methods.

    Quote: “Having two levels of passwords is always better than one.” True for ssh with sudo.

  2. Yep, like Dirk said. That’s not true. Even when you loose your keys, you still have to enter your password when you enter a sudo command. Loosing “root” keys is much more worse. Imaging you create a password-less key for root on a server, only in this situation the attacker has full access to your machine.

  3. Anon

    “I rather think that sudo itself allowing this is the real problem.
    Misconfigurations and human errors are very likely.”

    I think you misjudged users that can achieve this.

  4. I would also set timestamp_timeout = 0 which will disable password caching and force users to re-enter password on every sudo run

  5. Carl Snyder

    Your argument seems not to be against sudo, per se, but against not having a separate password for root, coupled with unlimited sudo privileges. sudo can be limited in extent, depending on the privileges found in the sudoers file. Anytime you have root access without requiring a password, whether it is the account password or a separate root password, you are leaving yourself open to problems in the name of expedience.

  6. Pingback: Links 16/9/2011: Boeing Goes With Android, Oracle Splits MySQL | Techrights

  7. Can’t say I agree with this article. I’m not as clued up as most people here. But it seems to me no matter what the security system is. If someone else gets hold of the password or keys it’s not good. Doesn’t matter if it’s sudo or root.

    The problem here seems to be the same problem home users face with home wifi routers. Poor default password setups. Meaning not having any. And specifically system admins not changing that poor default setup to something more secure. Sudo can be configured to require passwords and time out. Privilages can also be setup. So not all users on the sudoers list have the same rights.

    It would seem the author is trying to shape the facts to suit the argument.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

hello, twitter

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 585 other followers

del.icio.us

%d bloggers like this: