[1666179 views]

[]

Odi's astoundingly incomplete notes

New entries | Code

sudo is a complete failure

Today it was about the 10th time that a customer gave me permissions to edit a config file by allowing me to sudo vi. If you don't see the problem, then read why this gives you full root access.

$ sudo -l
Matching Defaults entries for xxx on this host:
    always_set_home, env_reset, env_keep="LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES
    LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE", targetpw,
    syslog=auth, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR
    USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME
    LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY PATH"

User xxx may run the following commands on this host:
    (root) NOPASSWD: /usr/bin/vi /etc/apache2/*, (root) /usr/bin/vi /etc/apache2/conf.d/*, (root) /usr/bin/less
    /var/log/apache2/*, (root) /etc/init.d/httpd
OMG wildcards! And I also control PATH! There are so many possibilities to get full root access from this misconfiguration, I don't even bother to list them here.
Of course there is also the lazy admin that doesn't care at all and tells you to use sudo su, which not only gives you a full root shell in the first place but also leaves you with a polluted environment.

Apparently many system admins think that sudo has something to do with security. And obviously they have not the slightest concept of what it actually does. What it actually does is: it is an binary with the suid bit set (always runs as root), that simply checks rules in the /etc/sudoers and then executes the passed command verbatim as a root process.

As we all know: executing random programs as root is a very bad idea in the first place. Doing that through sudo isn't any safer.

Apple and Ubuntu use it to obfuscate the fact that they basically run everything with the possibility to obtain root privileges by merely knowing the current user's password (if any at all).

sudo should be removed from computers. It is security theater and does more harm than good by tricking admins into running completely insecure software as root.

If you need to give people access to config files, then use file system permissions (hello we have had ACLs for many years now!). Yes I know by letting john.doe edit Apache config he can also easily get root. But that's not the point here. The point is abuse of sudo to work around file system permissions.
# allow john.doe to edit a single file
setfacl -m 'u:john.doe:rw' /etc/apache2/httpd.conf
# allow john.doe to edit all apache config
setfacl -m 'u:john.doe:rwx' /etc/apache2/conf.d
setfacl -m 'u:john.doe:rw' /etc/apache2/conf.d/*.conf
If you are scared to set the suid bit on the executable itself, then you shouldn't run it via sudo either.

posted on 2016-01-21 15:42 UTC in Code | 0 comments | permalink