[HanoiLUG] Ubuntu-sudo usage..

[David Favro]

Well, I can see that I've started a "holy war" and I'm afraid I may not
have the stamina to finish it, so let's go another round or two and then
agree to disagree...

Steve wrote:
> Problem is that you only think about your own data and your own user.
> Your data is probably not important to many people. (This sounds harsh,
> but it is reality)
Not harsh at all -- I sincerely hope you are correct.  Should I ever
become "p0wned" (slang for a machine which is compromised on an ongoing
basis, usually for sending spam or launching DDOS's), I would be
delighted if the intruder ignores my data!
> Most crackers are not interested in your data, they
> are interested in your resources; the computer, your Internet
> connection.
And I can do almost anything that I want to exploit those resources as
"your_user_id" -- no need to be root.
> The majority of compromised machines are used as jumping points to get
> to bigger fish, or to send spam, or viruses, etc.
If I p0wn your machine as "youruserid", I can turn it into a
spam-spewing, virus-propagating, bot-box with no need for root access. 
And if you are someone who routinely does sysadmin by typing in a
password to authenticate, the simple 1-line shell-script that I
previously proposed will probably give me your root/privileged password
in a few hours anyhow.
> The difference between getting access as a normal user and root is that
> if you get root access, you can install your own little backdoors and
> apps that is used to scan the network for other vulnerabilities, or send
> out spam or do whatever.
I don't need to be root for most of that, with a few exceptions like
certain types of scans and DDOS's that require raw sockets. And I don't
need to modify apps to change their behavior.  Does every component of
your executable-search-path have root-only access?  How about your
.bashrc?  Your desktop config app-launching files?  I can make you
unknowingly run lots of software on an ongoing basis without being root.
> As root the cracker can install a rootkit
This is correct.  But you are not understanding (well, I guess,
understanding but not agreeing with) my point that a cracker on your
machine as *you* is already *much* too bad.  I see getting rooted (slang
for having a rootkit installed) is about 1% more damage than having
someone p0wn my box as *me*.  I can do most of my evil work before you
will notice that I am on your machine even if I don't install a
rootkit.  Do you run tripwire?  If I modified your .bashrc, .xinit, etc.
-- how long before you noticed (answer honestly)?  Rootkits are fun
stuff, but not a part of most exploits.

There's nothing wrong with multiple layers of security, such that one
mitigates the damage done when another is penetrated, but in general, I
think many security professionals have a greatly mistaken idea of how
these should work: as an example, have you ever worked on your house's
plumbing?  Suppose you have a leaky shut-off valve in the supply line
such that even when shut off, it still lets a slow drip of water through
(a common problem for old valves), so you shut off another valve further
along in the system (in "series" with the first), then another.  You can
have ten valves in a row, each of which, when shut off, has a little
"drip drip drip" leak, yet you get exactly the same problem as if you
only had one turned off: a little water seeping in as you are working on
the pipes.  The only way to stop the water is to have one valve that
*completely* shuts off; and once you have that one valve, the others are
not necessary, although they do mitigate the problem should the one
working valve malfunctions.

Likewise, with computer security, multiple layers of security which
reduce the damage of a breach of the other layers only work well if
there is no breach at all, and this is only possible if there is one
layer which is *not* breached.  So I feel that it is proper to focus
most of our efforts on reinforcing that layer.  For me, this means
keeping crackers out of my box *entirely*, and especially not as *my*
user-ID!

Many corporate system-administrators, on the other hand, seem to think
that putting enough leaky layers of security (and usually ones that they
don't really understand, but just heard that "it's a good idea") in
series will prevent exploits, but usually they don't, but instead, so
many layers on top of each other restrict users abilities to do their
jobs.  Of course, that's a different situation from the "personal
machine" that I've been describing, but it often annoys me.

Of course, I know that you don't propose to open your box to all comers
as the unprivileged ID and *only* protect root, but I firmly believe
that in the case of the typical "personal" machine, the amount of damage
that a cracker can do as the main user-ID is so high as to render any
additional damage done by rooting the box negligible by comparison.

> Most compromises are not reached by using a user's
> password.  Vulnerabilities in software running on the machine is used to
> get access.  So, if that software is running as root, then the cracker
> immediately have root access and can setup your machine to be his/her
> slave.
Right, and I'm 100% for keeping daemons running as their own
unprivileged user-IDs (and chroot'ed when possible).  But *much* more
effective is to build software that doesn't have such vulnerabilities
(to the extent possible, and we aren't even close to utilizing the
available techniques for this -- just look at the code of your favorite
FLOSS app, chances are it is full of spaghetti, copy-and-paste code full
of opportunities for buffer-overflows, etc.  Proprietary software is
just as bad -- I know, I've worked on lots of it).

Unfortunately, I believe that the number 1 malware propagation vector
now is users clicking on email attachments which is more like
"vulnerability in users", but anyhow...
> The more complex software is, the more chance of having vulnerabilities,
> that is why you *NEVER* run a GUI desktop system as root.  Desktop
> software is the most complex.
> You run your Desktop as a normal user and su or sudo to root when you
> need to.
99.9% of the time, yes.  But there are rare times when I run a desktop
as root.  Your emphasis on how important you think not running as root
is shows how little importance you place on getting compromised as
"my_user_id".  If, as I do, one thinks that the damage inflicted by
getting compromised as "my_user_id" is enormous (and remember, in
addition to exploiting/trashing my data, it includes almost everything
that you describe as malware, like spam-bots, most types of network I/O
that don't require raw sockets, etc.) -- and if, as you do, one thinks
that desktop software is highly vulnerable, the advise should be: "don't
run complex desktop software at all", not "don't run complex desktop
software as root".

And, I think that that a typical personal-machine user, if made to
understand the issues, would agree with me that the damage if
compromised as root is only very slightly more than what is done as his
own user ID.
> I normally disable root access via ssh as this just gives you another
> added level of security.  It just makes it that much more difficult to
> get in.
How?  How are you going to get into my machine as root on my sshd with
PermitRootLogin=without-password?  I just don't see it happening unless
you've already compromised another one of my machines, in which case
huge amounts of damage are already done and there will be many other
ways of getting into the second machine anyhow (e.g. PK-login with the
unprivileged ID).  So, how?  I will turn it off in a second (I'm not
kidding) if you can explain the attack for me.  But just saying that it
makes it harder to get in has as much validity as saying that painting
the box green makes it more secure.  Details, please.

Furthermore, it once again shows that you don't place sufficient
importance on the problem of getting compromised as my_user_id -- there
is an implication that having someone get in as root is orders of
magnitude worse: otherwise, you would say, "disable sshd entirely"
(which is exactly what my laptop automatically does on boot-up when it
detects that it is on a public network, but this is mostly to save
resources since I don't need it, rather than for security -- although it
does also qualify as an "extra layer").

> Also note that there is always a balance.  You have to balance your
> security with practicality and usability.
Here, we agree 100%!!! :-)
> But, don't get confused with the Microsoft version of usability that
> means that any user can do anything on the machine.
The fact that most Microsoft users run the desktop as a privileged user
is problematic, but it is only a part of the problem. Much worse is the
fact that their code contains so many vulnerabilities to begin with (and
they are so slow to patch them).  Many of the bot-nets can be run as an
unprivileged user.

OK, that's my opinion, give me your best shot, and then maybe let's use
our keystrokes for other things, like coding... and maybe at the next
meeting, we can discuss it over a beer! :-)

Cheers,
David F.