[HanoiLUG] Ubuntu-sudo usage..

[Steve]

> How so?  I'll change it immediately if you can describe to me exactly
> how an actual attack would take place.  Remember I said, I don't see how
> you can do *more* damage on my machine as root than you can as me.  Once
> you're onto my machine as me, you have access to all my data (and, as I
> described, probably can get my own and root's passwords) -- it's all
> over!  What more harm is going to come of also being able to be 'root'?
> Correct me if I'm wrong, I'm surely open to other ideas.  But unless you
> can explain to me why not, I don't see why I should treat 'root' any
> differently than 'myuserid' from a security perspective.
Let's back up a little and look at the big picture here.

As root you would be able to trash all the other users on the system.
Now, on your personal computer that no-one else uses, this might not be
an issue, but the assumption that this is always the case is _exactly_
what made Windows so insecure on the PC.

But lets forget root passwords and stopping people from logging in via
login/?dm/whatever for the moment - that's trivial to get around. It's
the old story of if I can touch your machine and you look away for 120
seconds, all I need is a RescueCD and they only that that will stop me
from reading all your data is an encrypted file system.

That's not the problem, the problem is that you have created the exact
same scenario that allows Windows users to devastate the entire
internet. You have become an admin user with full rights to elevate
your priviledges to whatever you want at any time. All it takes is some
weakness in a process running as your user to allow shell commands, a
remote attacker could execute sudo and become root with no further
action, and your reasonably safe Linux box has just become a bot. <I
used to do this auditing networks>

We really really don't want to go there. The real protection with sudo
from remote exploits is that it asks for a password before elevating
priviledges and this cannot be bypassed (unless there is a weakness in
pam, but we assume there isn't). For malware to become root on a Linux
box it either has to know your password or root's password and the
majority of malware doesn't know that and is stopped in it's tracks
right there. Even with sudo's 5 minute ticket, malware can only do
funky stuff for 5 minutes after you sudo manually which is a reasonably
small window to do damage in.

Of course all this ignores malware that might be keystroke logging -
that's a separate issue.

Bear in mind that running any large and complex set of software as
root is inherently dangerous if you connect to the net (which I assume
you do).  The issue
is not what the user might do using the software, it is what a remote
hacker might accomplish by cracking software with a vulnerability that
becomes critical if the software is running with elevated privileges.

Many vulnerabilities exist through innocuous things like incorrect use
of the tmp filesystem , and there is software that assumes it is not
running as root, ever, because if it were it would be vulnerable.
Running your whole system as the root user is bad news - don't do it.
X _is_ a network-based system, so mistakes
can happen ;-)