[HanoiLUG] Ubuntu-sudo usage..

[David Favro]

Steve wrote:
> david wrote
>> In the old days, an unauthorized user as root could steal/destroy the
>> data of all users, as well as bring the system down, but as an
>> unprivileged user, could only steal/destroy that one user's data.  But
>> now, there only *is* one user.
> Not sure what you mean?  Linux is still just as much a multi-user
> system as it ever was.  The difference is that sudo allows individual
> users to gain elevated permissions without having to share a password
> among everybody.  Note also that sudo's permissions can be very finely
> tuned - you can grant one user permission to run one command only if you
> so wish.
Absolutely.  And the multi-user permissions structure is still as valid
as ever.  What I'm saying is that _in_effect_ many machines are
single-user because they are only ever used by one user (laptops in
particular come to mind).  I'm not saying that every user on every
machine should be ultimately privileged, but it's a common situation of
a 'personal machine'.  Even so, of course we need the powerful
user-permissions model -- different daemons have different privileges,
malfunctions and vulnerabilities can be contained in this way -- and
even 'single-user' machines sometimes are used by others, so I keep a
'guest' account around for people who borrow it.  Not to mention that
not *all* machines are 'single-user', I'm just saying that an increasing
number are.

I'm not a family man (yet), so I hadn't given much thought to David's
point of the family machine -- but I'm not saying either that every user
should be ultimately privileged: my point is that if any given user
knows the root password, they should not need to type it (or any other
password) every time they want to do some sys-admin command (although
they now must guard access to their own ID just as if it were root, of
course).  Other users (the kids, for example), don't have permission to
do sys-admin, so they aren't privileged to sudo non-password to root.  I
suppose that Dad might want to let the kids use his ID for a while
because he doesn't want to change sessions, but doesn't want them to be
authorized to do privileged commands, so he forces himself to
re-authenticate when 'sudo'-ing, but honestly, do you want the kids
mucking with your email either?  It's best to have each user only access
the system when authenticated as themselves.  And once authenticated,
why make them re-authenticate so often?

>> Personally, I always set a root password, and add an entry to
>> /etc/sudoers that allows my 'private' ID to sudo to anything, like:
>> my_user ALL=NOPASSWD: ALL
>> and I have an alias in my .bashrc:
>> alias su="sudo su -"
>> Then I disable all of their 'security' features like disallowing root
>> login from gdm, from ssh, etc. (but I take an additional precaution of
>> disallowing root login via password in ssh, only via PK, and have sshd
>> use a non-default port).
>
> No offense (really) but this does not sound like good security to me.
How so?  I'll change it immediately if you can describe to me exactly
how an actual attack would take place.  Remember I said, I don't see how
you can do *more* damage on my machine as root than you can as me.  Once
you're onto my machine as me, you have access to all my data (and, as I
described, probably can get my own and root's passwords) -- it's all
over!  What more harm is going to come of also being able to be 'root'? 
Correct me if I'm wrong, I'm surely open to other ideas.  But unless you
can explain to me why not, I don't see why I should treat 'root' any
differently than 'myuserid' from a security perspective.

Furthermore:

* You might think that allowing root login from gdm is a vulnerability. 
But you just said that under the Ubuntu scheme, you can 'sudo' to
anything by typing in your own password.  So, if I have your password, I
can log in as you from gdm, then sudo to root using again, your
password.  Furthermore, since I presumably have physical access to your
machine to use gdm (I disable remote logins via gdm), I wouldn't bother
with your password at all but would boot via a live disk.  How am I
wrong?  Exactly how would the attack that you envision take place? 
Someone has casual access to the machine, doesn't know my user-ID (which
is usually easy to discover), but tries to type in a dictionary attack
against root *by*hand*?  Honestly, I want to know why people think this
is a vulnerability -- maybe I've overlooked something.

* You think that allowing root ssh login via public-key authentication
(*not* password) is a vulnerability.  Well, as I said, I don't use the
standard ssh port, this eliminates _very_many_ attacks from the internet
(try it, watch your logs, and you'll see what I mean).  But they can run
all the dictionary attacks they want (hydra, etc.), it will do no good
if you need the PK, not the password.  Like this in your
/etc/ssh/sshd_config:
    PermitRootLogin without-password
So again, describe to me exactly how the attack would take place.  I
don't want to have any vulnerabilities on my machine, so I want to hear
your ideas, but keep in mind, like I said, I also have other security
features in place.

One other thing to keep in mind, the more often you have to type
passwords, the more vulnerable you are to key-loggers (although again,
if you've been compromised that far, it's pretty much all over anyhow).

Cheers,
-- David F.