Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Sudo vs. Root

CmdrTaco posted more than 8 years ago | from the security-comes-first dept.

327

lessthan0 writes "In Mac OS X, the root account is disabled by default. The first user account created is added to the admin group and that user can use the sudo command to execute other commands as root. The conventional wisdom is that sudo is the most secure way to run root commands, but a closer look reveals a picture that is not so clear." The article is about OSX but the debate is a little older ;)

cancel ×

327 comments

Sorry! There are no comments related to the filter you selected.

Layered Security (4, Informative)

Mattygfunk1 (596840) | more than 8 years ago | (#14964254)

The conventional wisdom is that sudo is the most secure way to run root commands, but a closer look reveals a picture that is not so clear.

The article doesn't say that sudo isn't the most secure way to run commands, it just details how to make it even more secure.

Re:Layered Security (5, Insightful)

Jason Hood (721277) | more than 8 years ago | (#14964277)

I honestly feel dumber for RTFA.

Re:Layered Security (1, Informative)

Anonymous Coward | more than 8 years ago | (#14964679)

The article is fucking stupid for another reason; it says sudo is 'insecure' because, if you're logged in as admin, you don't the username, just the password. How exactly does root make this any more secure? You already know the username for root is 'root', so whats the fucking difference? Either way its all just a password away...

Obviously root wins (0)

Anonymous Coward | more than 8 years ago | (#14964259)

I mean, it's like rock vs. scissors.

I guess that this article can be skipped (1, Troll)

zappepcs (820751) | more than 8 years ago | (#14964265)

I guess that this article can be skipped if you are a windows user? :)

Re:I guess that this article can be skipped (1)

terraformer (617565) | more than 8 years ago | (#14964364)

Word has it that Vista will change that and there will be sudo like capabilities but I suspect it is too soon to tell if it will materialize and if so, in what form.

The Monad shell won't be in Vista (1)

ccmay (116316) | more than 8 years ago | (#14964506)

Word has it that Vista will change that and there will be sudo like capabilities but I suspect it is too soon to tell if it will materialize and if so, in what form.

Not in Vista, it won't.

Back when Vista was still Longhorn, they were planning to include a new Microsoft Shell [wikipedia.org] , aka MSH, aka Monad. But they are saying now that it won't be released with Vista.

-ccm

Re:The Monad shell won't be in Vista (1)

B3ryllium (571199) | more than 8 years ago | (#14964611)

Monad has absolutely nothing to do with sudo-like behaviour; what the GP means is that Windows will prompt for an admin password in limited accounts before allowing changes. Kind of like what Mandriva/KDE do in their GUI admin tools.

Re:I guess that this article can be skipped (2, Interesting)

ThePhilips (752041) | more than 8 years ago | (#14964510)

Well you already can tell Windows (starting from w2k) to launch application under another account. Thou most Wind0ze applications can't that. It's not the problem of applications - it's that the windows api expects all the fancy stuff - like desktop and registry - to be present and set up for the user. Conventional apps rarely run okay that way - several admin applications run that way w/o problems.

Try it. Right click on the link to application or application itself and select "Run As". (Also you can hold "shift" button on right click - that way Wind0ze' Explorer would display complete right-click menu for the target, "Run As..." would be definitely there).

Note that under *nix, it's security feature to run application w/o bells and whistles. It's almost impossible to run them otherwise. Under Windows, due to mandated GUI, applications are always "fatter" compared to their *nix counterparts. In Unix world it's norm to have GUI running in unpriviliged mode and then pass user commands to small back-end tool running with all required priviliges. One can compromise the front-end - but still privileged back-end would dissmiss any disallowed command. For some unknown reason I rarely see such approach being used on windoze.

Re:I guess that this article can be skipped (1)

gcauthon (714964) | more than 8 years ago | (#14964690)

First of all, windoze does not have a "mandated GUI". You are free to write console-based apps in windows. I'm not sure what all of that "right click" and "run as" crap is either. Just drop to a console and type "runas /usr:admin ". You can use the switch "/profile" or "/noprofile" to control whether the "fancy stuff like desktop and registry" (which I'm assuming you mean the user's profile) are loaded. If you absolutely must use the mouse, then just create a script file and then create a shortcut to it on your desktop.

Second, how exactly do you define a privileged account? If you define it as the account responsible for running system-level processes, then it seems logically impossible to run a system process like XDM as anything but a privileged account. If you run XDM as "joe", then "joe" would implicitly become a privileged account.

Re:I guess that this article can be skipped (0)

Anonymous Coward | more than 8 years ago | (#14964385)

Are you trying to be funny or is that just your normal way of observing things?

Yes, we all know about winsudo. No, you were not clever.

Re:I guess that this article can be skipped (1)

firl (907479) | more than 8 years ago | (#14964403)

well its not just for mac os, many things, livecd's that are debian based. Windows vista also has a slightly different take, it just pops up a dialog box everytime it wants to do something admin like. which is cool, except it doesn't give full admin which I guess is a step forward for windows. but if you want to change file permissions on a kernel file you should be able to without being forced to reboot to a recovery console, can do this in bsd and linux variants.

Re:I guess that this article can be skipped (1)

jginspace (678908) | more than 8 years ago | (#14964454)

I guess that this article can be skipped if you are a windows user? :)

Check out the excellent Nonadmin site:

http://nonadmin.editme.com/WinSUDO [editme.com]

Lots of useful stuff there that not many people know about...

Oh, great! (4, Funny)

Len Budney (787422) | more than 8 years ago | (#14964267)

Now all the black-hats out there will have a powerful new tool in their arsenal! You mean, a sudoer can, like, type "sudo /bin/bash" and then do all sorts of things as root? Pretty irresponsible of him to go telling the world a secret like THAT!

Re:Oh, great! (2)

Phreakiture (547094) | more than 8 years ago | (#14964426)

I'm going to be even more irresponsible and invoke our good friend Tim Towtdi....

  • sudo /bin/bash
  • sudo su -
  • sudo -s

Re:Oh, great! (0)

Anonymous Coward | more than 8 years ago | (#14964431)

"You mean, a sudoer can, like, type "sudo /bin/bash"

He wouldn't even waste the key strokes

      $ sudo -i


Sudo (3, Interesting)

Poromenos1 (830658) | more than 8 years ago | (#14964268)

What the article mentions is not really a big problem, since that is more or less what would happen if someone guessed the root password (then they could tamper with anything, including the logs). If the administrator isn't knowledgeable, both sudo or root can get hacked, but this doesn't mean that sudo is worse or has more disadvantages than running as root.

Personally, I prefer sudoing a shell to run as root so I don't have to type the command all the time, but that's just in my home Ubuntu installation which I don't care much about.

Re:Sudo (2, Informative)

OxygenPenguin (785248) | more than 8 years ago | (#14964446)

I'm with you there. I often su to root inside a shell and remain there for some time, until I'm finishing executing commands that require root. I don't feel the need to secure my 2 Ubuntu boxes at home enough to only sudo in and out. It's irritating having to type that command over and over again.

Now, the servers at the workplace are a different story, though I tend to ssh in as root at times as well.

Same applies to Ubuntu (1, Informative)

Anonymous Coward | more than 8 years ago | (#14964275)

sudo is primed to let you do pretty much anything. And it's far more likely that someone gets my user password that the actual root password.

Re:Same applies to Ubuntu (1)

yo_tuco (795102) | more than 8 years ago | (#14964559)

"And it's far more likely that someone gets my user password that the actual root password."

That is the big question. However, in a remote attack, a user account name may not be known. The root user account name is (part of the barrier is solved). Cracking a user account password is just as hard as the root unless, of course, you assume a person creating a root account would use a stronger password than a user account.

Sudo is only useful when there are lots of admins (5, Insightful)

eln (21727) | more than 8 years ago | (#14964280)

When there are lots of admins, sudo can be helpful. However, even then it's mostly useless because most admins get so irritated at having to type sudo before every command that they'll just sudo into a shell and be done with it, which sort of eliminates most of the advantages of sudo. To get around this, you'd need a security admin that is not only diligent about what access he gives out, but is also willing to deal with a lot of abuse from the other admins because he won't let them do what they want to do.

For a single-user system, sudo is pointless. Nearly everyone is just going to sudo into a shell to do anything where root is needed on their own personal box anyway.

Re:Sudo is only useful when there are lots of admi (2, Interesting)

Abalamahalamatandra (639919) | more than 8 years ago | (#14964392)

I would disagree, in some cases. I like that Ubuntu does things this way, because it's designed for less-experienced users. I often see posts in the forums that list several commands in a row to execute, all preceded by sudo.

Being a more experienced admin, that looks wierd and counterproductive. But here's the nice thing: it keeps users from opening up a root shell and then forgetting they're in that shell, where they could easily wreak havoc. I think that's a good thing.

Me, I pretty much just always type "sudo -i" to do my stuff. But I wouldn't want less experienced users doing that.

Re:Sudo is only useful ..... (0)

Aspirator (862748) | more than 8 years ago | (#14964398)

On my own boxes I commonly use sudo for installing software,
I do all of the compilation etc. in a user account.

If I log in as root then I have the hassles of all of the
files I create being owned by root unnecesarily,
and then I have to change them all back.

sudo also allows me to get a similar effect to suid, but on
a more restricted basis, via sudoers.

So I dispute your assertion about sudo ONLY being useful
when there are a lot of admins.

Re:Sudo is only useful when there are lots of admi (0, Offtopic)

sinfree (859988) | more than 8 years ago | (#14964416)

I find sudoku to be the most useful... wow, I've really got to stop playing that game.

Re:Sudo is only useful when there are lots of admi (4, Informative)

Joshua Cowan (27300) | more than 8 years ago | (#14964448)

most admins get so irritated at having to type sudo before every command that they'll just sudo into a shell and be done with it
The BOFH patch for Bash works well for this scenario.
For a single-user system, sudo is pointless.
It is an effective way to eliminate root logins and encourage least privilege practices.

Re:Sudo is only useful when there are lots of admi (4, Informative)

Flwyd (607088) | more than 8 years ago | (#14964534)

I'm the only user on my Linux laptop. My password is dead simple; I'm not worried about security -- the most likely people who might try to do something to my computer are other developers in my company, and they probably have a good reason.

However, I never run sudo su Why? Being forced to type "sudo" in front of potentially dangerous commands forces me to think a second time and make sure I'm not doing something stupid. If I type rm -r * and get prompted that I don't have access, you bet I'm going to double check to see if I'm in the right directory.

Re:Sudo is only useful when there are lots of admi (3, Informative)

goodchef (213729) | more than 8 years ago | (#14964546)

Read the sudo manpage. After you authenticate for the first sudo command, subsequent invocations won't require a password for a set interval of time (default is 5 minutes, unless overridden in /etc/sudoers).

Re:Sudo is only useful when there are lots of admi (1)

eln (21727) | more than 8 years ago | (#14964675)

Yes, I know that. But admins are inherently lazy, and even typing "sudo" before every command is a burden that most don't like to deal with.

Re:Sudo is only useful when there are lots of admi (2, Interesting)

MaoTse (624765) | more than 8 years ago | (#14964584)

That's right.

What many linux affectionados do not realize is there are many much more advanced power user control systems then sudo. My favorite example is RBAC [sun.com] which has, unlike sudo, some corporate/security professional appeal. See there. [sans.org] It is mostly used on Solaris where the integration level is impressive. For example we can make a requirement that some operations can be only performed by two admins (a "two men rule" [sun.com] ).

Sure, sudo can also can be taken to a much higher level when properly configured, but still ;-)

better way (1)

r00t (33219) | more than 8 years ago | (#14964608)

Keep an xterm open with a root shell.

It'd be nice if this had a distinctive window border. It's possible with fvwm I think.

Better yet, duplicate the GNOME (or KDE) menu as a white-on-red version labled "root", with all the games and crap greyed out. That's pretty much sudo for a GUI. (per-command stuff in the regular menu is lame, because some commands are useful both as root and as non-root)

Remote managment (3, Interesting)

solarbob (959948) | more than 8 years ago | (#14964285)

As part of my day to day crap sudo can really help in running remote commands as root without having to login as root. We've got a few things setup which check system settings from a central node and being able to use a non root user, and then just using sudo /file really just helps keep things under control. Also with sudo you can fine tune which commands are allowed to be run. Overall a really nice toy

This just in: (5, Informative)

djh101010 (656795) | more than 8 years ago | (#14964286)

News flash: Sudo, like many other tools, has a configuration file, which allows you to customize it's behavior. Details will be provided as they become available.

C'mon, anyone with even a passing involvement with sudo has looked at the sudoers file. You can configure pretty much any group or role based permission you want; if you can describe it as a logical statement, you can do it in sudo. Yes, out of the box, you can sudo to a shell (or to an app which has a shell escape).

Re:This just in: (1)

tvon (169105) | more than 8 years ago | (#14964464)

This is true, however the default configuration will not be changed for most users so it is justifiable to analyze the security "out of the box" as opposed to "with tweaked by an expert".

Old news and Poorly written (1, Insightful)

bombadillo (706765) | more than 8 years ago | (#14964288)

This is a poor article. It does not provide any solutions to locking down sudo. Oddly enough it is an article for OS X on a site called linuxboxadmin.com. Why not focus on one of the linux distros that use sudo such as Ubuntu?

Must be a slow day for news for nerds. More like news for noobs

Re:Old news and Poorly written (2, Funny)

gEvil (beta) (945888) | more than 8 years ago | (#14964304)

More like news for noobs

Stuff that flatters?

Good Advice (5, Interesting)

Se7enLC (714730) | more than 8 years ago | (#14964289)

This article is good advice for anyone running a unix-like operating system (OSX, Linux, etc). It's not knocking on OSX, just knocking on the default configuration. Sudo is really just a way to allow root access without allowing root logins. The best way to configure it: Root Account with a unique password (not the same as your user account) Sudo requires password to activate (caching is ok, but no automatic access, no keys) Sudo logs all commands Sudo only enabled for specific user accounts Root account has login disabled, ftp/ssh disabled. (using the /usr/bin/false trick mentioned in the article, I use true myself)

Re:Good Advice (2, Insightful)

Dom2 (838) | more than 8 years ago | (#14964620)

One of the key benefits of using sudo, particularly in a single user situation is that it uses your regular password, not some "admin" password you typed in at the install 3 months ago and forgot to write down. This is one reason why both OSX and Ubuntu are using sudo.

Personally, I also like the ability to go back through the logs and see what I've done...

-Dom

Sudo vs. Root? (5, Funny)

Evro (18923) | more than 8 years ago | (#14964291)

The winner is clear! [googlefight.com]

Re:Sudo vs. Root? (1)

towsonu2003 (928663) | more than 8 years ago | (#14964581)

The requested URL /fight was not found on this server.
I guess Mr. Barrett stole that one too?

Sudu or Root? (1)

chad.koehler (859648) | more than 8 years ago | (#14964292)

For usability purposes, sudo is nice because the user only has to enter their own password. However, this can also be detrimental... Users have been socially engineered to just enter their password whenever the box asks for it, and to the "average" user this may mask the fact that they are upping the privileges of the process asking for it... If they had to actually type in (and remember) the actual root password it may be a little more clear.
All in all, I think it's really a matter of personal preference.

Re:Sudu or Root? (0)

Anonymous Coward | more than 8 years ago | (#14964471)

For usability purposes, sudo is nice because the user only has to enter [his] own password. However, this can also be detrimental... Users have been socially engineered to just enter their password[s] whenever the box asks for it, and to the "average" user this may mask the fact that [he is] upping the privileges of the process asking for it... If [he] [has] to actually type in (and remember) the actual root password it may be a little more clear.

How To Become Root on OS X (3, Informative)

Synesthesiatic (679680) | more than 8 years ago | (#14964295)

Last login: Tue Mar 21 10:44:32 on ttyp1
Welcome to Darwin!
Hunter:~ Adam$ sudo su
Password:
Hunter:/Users/Adam root#

This is on an unmodified install....woops I guess that root account wasn't disabled after all!

Re:How To Become Root on OS X (2, Informative)

grahamlee (522375) | more than 8 years ago | (#14964318)

Or sudo -s, for that matter. The root account is disabled insofar as it can't log in - although even that's not quite true...

Re:How To Become Root on OS X (4, Informative)

beelsebob (529313) | more than 8 years ago | (#14964457)

The root account is disabled by having the shadow password set to * - thus you can't enter a valid password for root. If you already are root (as in this case) you don't need to enter a password, and thus it allows you to do the command.

Re:How To Become Root on OS X (1)

Leon_Trotsky (702427) | more than 8 years ago | (#14964523)

Exactly. This was pretty much the first thing I did on my fresh install.

followed quickly by:

#passwd
Not very disabled.

Re:How To Become Root on OS X (0)

Anonymous Coward | more than 8 years ago | (#14964545)

It's disabled as in it has no password associated with it. If you want to enable it, then you are free to.

This is better than Ubuntu, which actually patches out code that requires root access (e.g. in the CUPS web admin), meaning you can never fully enable root if you want to.

Use sudo to revoke root from a single user (5, Insightful)

jrifkin (100192) | more than 8 years ago | (#14964303)

One advantage of sudo occurs when a box has multiple admins, because a single admin can have his root privilege revoked without affects other admins.

But when you share a root account, revoking privilege from a single admin means that every remaining admin has to learn a new password.

Re:Use sudo to revoke root from a single user (1)

petermgreen (876956) | more than 8 years ago | (#14964384)

i guess it depends on WHY you are revoking the admins privilages in the first place. if your just moving them to another group with no hard feelings then i suppose you could argue this. If your getting rid of them for misconduct you have to seriously consider that they may have installed a rootkit.

2 passwords instead of 1 (1)

Viol8 (599362) | more than 8 years ago | (#14964307)

Ultimately all sudo means is that a cracker has to know
2 passwords to gain access to root on your system if root
itself is disabled - a user password and the root password.
If they cracker has already somehow cracked the root password
then I doubt they'll have much trouble with a user password
which are usually far less secure.

Re:2 passwords instead of 1 (1)

djp928 (516044) | more than 8 years ago | (#14964459)

Uh. Not if you have sudo set up the way it normally is. That is, you only need your own password to get root access, via "sudo su" or "sudo -s".

-- Dave

Re:2 passwords instead of 1 (1)

Viol8 (599362) | more than 8 years ago | (#14964648)

Yeah , you're right. I was thinking of su. Doh.

Re:2 passwords instead of 1 (1)

duffolonious (956722) | more than 8 years ago | (#14964568)

Errr... if you have cracked the root password what the hell do you care about the user password?

Here's how I "crack" the user password when I have root access.

# passwd user
(enter new password)

I am amused by the simplicity of this game. Bring me your finest meats and cheeses.

My favorite sudo command: (4, Funny)

AsnFkr (545033) | more than 8 years ago | (#14964308)

sudo passwd root

Re:My favorite sudo command: (1)

mctk (840035) | more than 8 years ago | (#14964351)

sudo -ku

Re:My favorite sudo command: (1)

repvik (96666) | more than 8 years ago | (#14964593)

I prefer "sudo su" ;-)

Messed up sudoers (3, Funny)

Gopal.V (532678) | more than 8 years ago | (#14964311)

Recently one of my friends editied his sudoers file with the following
admin ALL=(ALL) ALL
Now it is obvious to me that he forgot a % in there. From that point onwards, there was no way we could actually run sudo to be able to edit the file using visudo. Since there is no root account, we couldn't just log in as root to fix this issue. And because of the syntax error, sudo refused to work for any user.

Now, a live CD and a setuid bash executable managed to fix the issue directly, but we learned an important lesson about root-less systems. If you screw up something like the /etc/sudoers, the system is hosed unless you have physical access.

So as much as I use sudo for almost all my UID 0 needs, I think root still needs to live in every box just to safegaurd against such simple mistakes which ended up costing more hours than the sudo would've saved.

Re:Messed up sudoers (2, Insightful)

Bake (2609) | more than 8 years ago | (#14964408)

I suppose you could write a small wrapper that creates a backup copy of the sudoers file before editing it. That wrapper then creates an at job to rollback the changes after, say 5 minutes, giving you ample time to verify that the new sudoers file works and remove the at job once testing is complete.

Re:Messed up sudoers (3, Insightful)

teslar (706653) | more than 8 years ago | (#14964621)

Yes, you could indeed do this.

And in other news, opticians around the globe are surprised to find that hindsight is always 20/20.

:)

Re:Messed up sudoers (3, Informative)

petermgreen (876956) | more than 8 years ago | (#14964417)

oh yeah not having physical access (or a serial console) means you have to be VERY carefull when touching certain parts of the config. This particular example can be avoided by having another way to get root but there are many others such as iptables, sshd etc

btw you don't need a livecd if you can get to the bootloader prompts, just use init=/bin/bash on the kernel command line and the box will drop straight into a shell. Type exec /sbin/init when you are done to resume normal boot.

Re:Messed up sudoers (1)

Johnny Mnemonic (176043) | more than 8 years ago | (#14964429)


Single user mode. No boot media required.

If you've disabled single user mode, there's not much that can be done. That's the nature of security.

Re:Messed up sudoers (1)

PigleT (28894) | more than 8 years ago | (#14964480)

> If you've disabled single user mode, there's not much that can be done. That's the nature of security.

linux single rw init=/bin/sh

Next? :)

You might also like to keep an alternative such as _super_ installed, against this eventuality.

Re:Messed up sudoers (1)

petermgreen (876956) | more than 8 years ago | (#14964592)

no need for the single option as you aren't about to run init anyway.

Re:Messed up sudoers (1)

stevey (64018) | more than 8 years ago | (#14964483)

Notice the comment at the top of the sudoers file?

"# This file MUST be edited with the 'visudo' command as root."

If you read and follow that advice you'll find you get a warning if you create a bogus file, and you wouldn't get into problems...

Re:Messed up sudoers (0)

Anonymous Coward | more than 8 years ago | (#14964562)

Notice the comment at the top of the sudoers file?

"# This file MUST be edited with the 'visudo' command as root."

If you read and follow that advice you'll find you get a warning if you create a bogus file, and you wouldn't get into problems...

Except that his file had the correct syntax, it just changed admin from group privileges to privileges for a user named admin, which visudo won't catch.

Re:Messed up sudoers (1)

Englabenny (625607) | more than 8 years ago | (#14964516)

1. He should have used visudo
2. On OS X, press cmd-S at boot and you enter single user mode. Mout fs writable, edit file, reboot.

Re:Messed up sudoers (4, Insightful)

cloudmaster (10662) | more than 8 years ago | (#14964606)

In addition to the other comments about using visudo (which respects the EDITOR env. variable, so if you really wanna use pico or whatever, just run "EDITOR=pico visudo"), you should always leave an active shell runnuing when you're editing something that could potentially break login access. Editing the main authentication scheme in pam.d/? Editing sudoers? Changing nsswitch.conf around? Make sure that you already have a root shell open in another terminal - either another xterm, a virtual console, or something else. Save your changes, make sure they worked, and if not, you can usually use the already-open root shell to change it back.

Yes, this is the voice of experience with breaking just about everything at some point or another - it's how you learn. Well, it's one way *I* learn, anyway. :)

The best way to secure the root account... (5, Funny)

aurb (674003) | more than 8 years ago | (#14964315)

...is to choose a really difficult password and forget it. This will secure the box from its' worst enemy - yourself.

Re:The best way to secure the root account... (1)

Yosho (135835) | more than 8 years ago | (#14964414)

Er... that's really no different from just disabling the root account, except for the fact that a potential cracker could use a brute force attack to guess the password.

Re:The best way to secure the root account... (1)

aurb (674003) | more than 8 years ago | (#14964463)

Yes, but with this technique and with no sudo, there's no way of reenabling the root account. So it's safer.

Re:The best way to secure the root account... (1)

Arimus (198136) | more than 8 years ago | (#14964468)

Er... go out and look for a sense of humour ;)

Problem with both sudo and Root (3, Insightful)

Lussarn (105276) | more than 8 years ago | (#14964316)

When your normal user has his mind set on performing a specific task (Such as installing the newest spyware-ridden p2p-downloader) you can popup a big red button and naming it "explode", the user will press it if he thinks it will get him closer to performing the task. Putting up a dialog and ask for the root password is for normal users only an obstacle to get by. They don't know what it mean, but they know how to get by it (By inserting the password).

Don't know any way of solving this except for training though. Or possibly making it IMPOSSIBLE to do certain tasks. But that no good solution.

No it's not a mystery (4, Insightful)

doomy (7461) | more than 8 years ago | (#14964320)

Every other command after starting a root shell does NOT get logged at all. All you can tell from this is when someone started the root shell. Whatever happened after that is a mystery.


All that is in bash history for the root user. And anyone who knows how to clean that can clean the log as well.

SUDO is flawed (0)

Anonymous Coward | more than 8 years ago | (#14964329)

The principal idea of Sudo is flawed! It works with ~ 10 user accounts, but if you have, say 30 - 100 accounts then you are likely to have misconfigurations, because it becomes a tedious job to maintain the access configuration file. I've seen this happen many times - unauthorized users accessing files they should have no right to access.

Re:SUDO is flawed (1)

Homestar Breadmaker (962113) | more than 8 years ago | (#14964575)

Yeah, I guess maybe people with severe brain damage shouldn't be configuring sudo.

This says it all. (1, Funny)

Anonymous Coward | more than 8 years ago | (#14964337)

Bullshit! A real administrator is always logged in as root - it's CRAP administrators that aren't! [theregister.co.uk]

I run as root at all times. Argue with me at your own peril!

Classic!!! (0)

Anonymous Coward | more than 8 years ago | (#14964368)

nohup cd /; rm -rf * > /dev/null 2>&1 &

Ctrl+D
LOL!!!

root == lazyness (1)

LinuxRulz (678500) | more than 8 years ago | (#14964348)

Everyone will agree that the less you use your root account, the less vulnerable your system is. People are lazy. If they can su and do everything as root, they tend to do so. However if you "block" the root account and force the user to use sudo and type in their pass each time, they tend do use less root, thus increasing the security.

sudo hmmm (1)

towsonu2003 (928663) | more than 8 years ago | (#14964365)

sudo -> Ubuntu -> ??

Re:sudo hmmm (0)

Anonymous Coward | more than 8 years ago | (#14964481)

Profit?

config config config (1)

devlp0 (897273) | more than 8 years ago | (#14964370)

sudo is the most secure way of allowing certain users root privileges to all or some system commands WHEN CONFIGURED PROPERLY. "man sudoers" shows you can do a lot with sudo and restrict users/groups as much as you want. Since coming across sudo, I have disabled root accounts on all boxes I have used. It rocks.

Re:config config config (1)

sn0wcrsh (157693) | more than 8 years ago | (#14964395)

um... like sudo tcsh... rock on.

Security Schmecurity. (0)

Anonymous Coward | more than 8 years ago | (#14964389)

Just expect script with ssh to root shell and script away.
Nobody expects hardtyped root passwd in user scripts.

ubuntu (1)

LadyNik0n (729059) | more than 8 years ago | (#14964391)

Ubuntu also does this as well.

Sudo more secure? (2, Insightful)

smoor (961352) | more than 8 years ago | (#14964396)

I'm just a part time sysadmin, so I don't know the nitty gritty, but it was beat into my head to use sudo instead of root simply so that I wouldn't "forget" I was in root and do something stupid...

There is no reason (usually) to be logged in as root, and that anything I need to do as root I could do using sudo. It seems to me that you hack with sudo just as easily as with root...

Ubuntu (3, Interesting)

towsonu2003 (928663) | more than 8 years ago | (#14964400)

I guess most of the things in that article applies to Ubuntu (root disabled, sudo-only access to root privileges) as well. I wonder how Ubuntu devs and users feel about this.

Sudo is a tool not the entire solution (1)

johnjaydk (584895) | more than 8 years ago | (#14964427)

Sudo provides a number of features:

  1. Issue commands as root whith the sudo prefix (and some password checking)
  2. Logging of commands issued using sudo.
  3. Handout of semi-root permisions to assistant operators (PFY's ?)

The first one is all about convinience. It makes it easy to be logged in as regular user and issue root commands as needed. This lessens the incentive to be logged in as root al the time and thereby can reduce the risk of accidentially issue unfortunate commands as root.

The second is a help to figure out what went wrong in case you need to un-fsck the system after an accident.

The part about handing out semi root to PFY's is really the least interesting part about sudo. Either you trust people or you don't.

I agree that sudo becomes a hassle when you need to perform surgery but for daily tasks it's really great. If you need to be root all the time then there is something really wrong with your setup.

Re:Sudo is a tool not the entire solution (4, Informative)

Hieronymus Howard (215725) | more than 8 years ago | (#14964591)

4. Allowing non-human users (e.g. www) to execute a strictly limited set of commands as root.

For example, I have this command in my sudoers file:

www ALL = NOPASSWD: /sbin/ipfw add 2000 deny ip from [0-9.]* to any in

This allows apache to use /sbin/ipfw to add the ip addresses of script kiddies to the firewall. Note that only adding addresses to one particular rule (in this case rule 2000) is allowed - any other usage of ipfw will fail.

Re:Sudo is a tool not the entire solution (0)

Anonymous Coward | more than 8 years ago | (#14964613)

The part about handing out semi root to PFY's is really the least interesting part about sudo. Either you trust people or you don't.

That seems an ignorant statement and ignores the principle of least privilege. Give people only what is required for them to efficiently do their job.

I have gone so far as to mandate that sudo access should never be configured for command shells and anything that might yield a command shell. The point of sudo is to allow a user to run a set of commands as root - not to hand over the keys to the kingdom.

I found it informative. (1)

Thaidog (235587) | more than 8 years ago | (#14964430)

My box has ssh enabled, but it is only my box and I have not granted anyone access to it. My admin account has access via ssh but ssh is configured not to allow root logins. Also, the root account is disabled for the large majority of the time.

Even though I feel that this should be sufficent it troubles me that the sudo feature is enabled as the article implies by default. I think it makes much more sense that you need the root password for su and sudo access. I think that possibly adds another layer of security to the system.

Re:I found it informative. (0)

Anonymous Coward | more than 8 years ago | (#14964588)

I hat guys speaking about their "box" :-)

That's an Interesting Pickle (1)

Greyfox (87712) | more than 8 years ago | (#14964438)

If Apple made an administrative account in sudoers and a non-admin one without it, most users would probably just run as the administrative account anyway. Sudo's reasonable, but most people will blindly enter their password when prompted for it. It took me years to get my room mate conditioned to ask me whenever the computer asks her something she doesn't understand. To be really secure, you should usually run as a user that has no way to write to system directories. Apple (or maybe BSD) does a really good job of keeping admin tasks separate and still doing things like setting up the network and stuff like that. Most of the time there's no reason why a user would ever need admin access.

If you make the effort to go beyond Apple's default security you'll reduce your potential exposure to any malware that might ever be written for the platform.

Here's the Score (4, Interesting)

99BottlesOfBeerInMyF (813746) | more than 8 years ago | (#14964601)

By default OS X machines use the same password for sudo commands as they do for the regular user account. If you are more concerned about security than the average bear (or OS X user) you can change the password or you can disable sudo altogether and enable the root account with a different password. All of this is good info for those interested in security, but who are still learning.

From this article I predict a number of people knocking this default setup and then a rehash of the old argument as to what the default should be. I contend, that it is probably the correct default. OS X is a workstation not a server. It is designed for normal users. Having two password (heck having even one) is a usability issue for many users. People are confused by the whole concept of passwords and many have trouble remembering even one. Further, setting a second password only slightly increases the difficulty for a competent cracker. The truth is, there will be local escalations for the foreseeable future. OS X is not a super-locked-down server.

Basically, for the average user, a second password gains them very little except confusion. For more advanced users, well they can change the defaults, as many do. Maybe the only issue here is the in-between people. Those are the people targeted by this article. Those that might want to change the defaults if they knew about the issue and how to do it. Maybe this configuration should be made a little easier, or even incorporated as an option in the install process.

This default bears revisiting should Apple ever move to a more locked-down system. Maybe when users are accustomed application specific privileges they should also be introduced to a more layered security scheme. For now, though, I think the usability issue outweighs the security one.

Personal Feeling (1)

matth (22742) | more than 8 years ago | (#14964603)

I don't like SUDO. If someone has figured out my account password, and gotten through all other layers of protection.. I want them to have to figure out the root password.. not just sudo and enter my password again.

Same reason I don't allow root login through SSH and why I firewall the SSH ports on my machines.

sudo -s (1)

oglueck (235089) | more than 8 years ago | (#14964625)

I never used "sudo -s" but always "sudo bash" on systems that allowed it. Because prefixing all commands with sudo was annoying...

Quick Solution to sudo abuse (1)

maynard (3337) | more than 8 years ago | (#14964641)

Just use your handy editor, emacs, vi, Microsoft Word - whatever - to remove that pesky user "root" and its "UID 0" from /etc/passwd then update the netinfo database. Reboot Mac. Problem solved!

Painful. (1)

lady*seven (962622) | more than 8 years ago | (#14964645)

This article truly was less-informed than I thought it would be. There's some sysadmin principle based on this logic though; if access is available in any way, it's a security hole. sudo is perhaps the most secure of the holes, though; it provides a control over access that you can't have with the wheel group or giving out the root password. also, I'm fond of the following:
scarlet@glimmer:/home$ sudo cd shel
Password:
sudo: cd: command not found

Requiring root password? Isnt that bad? (1)

TekGoNos (748138) | more than 8 years ago | (#14964652)

Then, you can force sudo to require the root password

Hu? I though one of the strength of sudo (over su) was that you DONT have to give out the root password to every user that needs some administration powers.

Of course, if the root account is completly disabled and the root password is ONLY used to authentificate against sudo, it's slightly less of an issue, but even then I dont think it's better than requiring the user password.

Example :
admin Alice has all powers (can sudo a shell)
admin Bob can only edit httpd.conf and restart apache

Alice forgets to close his session (but did close all root-shells) and Bob walks by his machine. He types in sudo in a terminal. If sudo asks for Alice's password, Bob has to guess it. If however, sudo asks for the root password, Bob knows it and can gain a root shell.

OTOH, it forces an external attacker to guess/acquire 2 different passwords, but this can be solved differently. If Bob tends to choose weak passwords, this can be solved by rejecting weak passwords (for admin users) right away. And if admin B gives out his password to whoever asks ... well, if he knows the root-password, he will gives that out too, so it's an attacker that can acquire 1 password from Bob will be able to get a second one too.

Bottom line : Requiring a root password for sudo seams like a stupid idea.

Old, but valid news (2, Insightful)

dnamaners (770001) | more than 8 years ago | (#14964687)

This "problem" has been around a while and is not really a Mac OS X thing problem. In short poorly configured systems are less secure, imagine that. I can make my self type 3 or 4 different passwords to get to sudo or root, will this make me more secure, perhaps. However I guarantee that if Apple did this the first thing every user would do is enable root, or otherwise make it more sane and easy to administer the system. If by some greater decree they made it impossible to do this, fewer people will want such system, as it will make them harder to use. Whatever you do, if you have boot, you have "root" ( or at lease root like access). In short it is possible to layer on many levels of security over the "root" access of a system but it this actually wise?

I don't use much OS X but I do use Linux quite abit. When I set up my machines, of course I use root access, lazy heck no. I have hordes of little tweaks and such to perform, packages to install, things to edit and permissions to set. If I had to use sudo, my first command would be to open a root bash shell. As for security, a new system it not accessible to the outside, thats it. After a system is up and running, I tighten things up.

First thing, as mentioned, is to disable root access by ssh. Of course, use public keys instead of passwords where possible. However why not go a simple step further, and the article missed that. Most of my accounts, and certainly all those accessible with ssh don't even need the privileges to use sudo or su to root at all. In fact in most cases my externally accessible shell accounts have a very limited set of commands they can run, simply because shell access is so insecure to begin with (hello gcc under remote shell users). I feel that this is clean and efficient and not a real pain to setup.

If you are paranoid and want a 2nd password for "root" access, use such a limited user for all users, then make a second account that may use sudo or root and log the heck out of it. Make each prospective admin su to that first. in the end, its only how much security is reasonable that wins. if you need more unplug the box and lock the thing up in a closet to prevent physical access by lock key, this too can be broken...

When a pack of wolves hunt a herd of sheep, as a sheep you need not out run the wolves to be safe, only the slower sheep. These slower sheep (aka windows) are generally quite abit slower these days than you (OS X). However, this all depends on the number of wolves you keep (or allow) on your netoworks... If you can't generally trust your users you have other problems.

What's the point? (0)

Anonymous Coward | more than 8 years ago | (#14964688)

I really don't see how sudo makes things any more secure. It's really just a shared root account.

People tell me that it protects from viruses if you log in as a normal user and only sudo when you need to install software, but surely a virus is capable of modifying your PATH to run a custom binary when you type 'sudo', capturing your password, and gaining privileges that way?

People tell me that you can only give root access for particular commands, but anybody with an ounce of intelligence can use that to gain privileges. sudo make install? Nope, you can just write a Makefile to create a root shell. sudo apt-get? Just create a package that has a root shell in it. And so on.

All the advantages for security that sudo is touted to have seem like they are completely illusory to me. Where's the real advantage to using sudo?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>