What's wrong with using sudo?

1

For years I have told people to not start Kate as root to edit files. The normal response I got was “but I have to edit this file”. The problem with starting GUI applications as root is that X11 is extremely insecure and it’s considerable easy for another application to attack this.

An application like Kate depends on libraries such as Qt. Qt itself disallows running as an setuid-app:

Qt is not an appropriate solution for setuid programs due to its large attack surface.

If Qt is not an appropriate solution for command line arguments running as root, it’s also not an appropriate solution for running GUI applications. And Qt is just one of the dependencies of graphical applications. There is obviously also xcb, Xlib, OpenGL, xkbcommon, etc. etc.

So how can another application attack an application running as root? A year ago I implemented a simple proof of concept attack against Dolphin. The attack is waiting for dolphin getting started as root. As soon...

0 0
2

If you don’t know what “sudo” is, then this isn’t the post for you… it’s going to get technical and Linuxy. Let’s start with the summary, as it’s the most important part of this post:

If you use /etc/sudoers.d/ don’t create files in the directory – create them elsewhere, ‘chmod’ them, and only then copy them in.
Edit: You can also use the ‘visudo’ command to create and edit the files – see the comments for more details.

Now for the story about how I came to this discovery…

For reasons that I’ll describe in a future post, I have a need to be able to trigger the “chvt” command from a keyboard shortcut. More specifically I want to run “gksudo chvt 1”, as using chvt to switch from a graphical screen to a console requires superuser privileges on my Ubuntu box. This prompts for my password, which seems a little redundant as I can use CTRL-ALT-F1 to the same effect without having to enter a password. So I decided to add an entry to the sudoers file in order to...

0 0
3

You all use sudo--it ships with almost every Unix-like operating system. You might even know that sudo has features you don't use. This talk will take you through some of sudo's lesser-known features, including: managing unlimited numbers of machines and operating systems (either with a single policy file or LDAP), using sudo for intrusion detection, logging, debugging, and replaying sudo sessions, and more. Based on the book "Sudo Mastery."

Michael W Lucas has been a sysadmin for twenty years now, and his Unix experience is old enough to have gone out and earned its own master's degree by now. (Sadly, it didn't, preferring to hang out in the computer lab and play NetHack instead of going to class until its scholarship ran out.) Lucas has written a bunch of technology books, including "Absolute OpenBSD" and "SSH...

0 0
4
...
0 0
5

I recently read a blog posting that denounced the use of sudo as insecure because of the following (briefly summed up and paraphrased) reasons:

1. The idea that not using the root account is wrong, using root for everything is fine.

2. That using sudo for everything provides a false sense of security over performing an action as root directly

3. That using a user account password to get a root shell is a bad idea

4. That using a root shell is not dangerous, and that this "grave misunderstanding" came from the idea that running X as root is dangerous

5. That sudo has very little place in the Enterprise

6. That relying on sudo is foolish, because it has bugs

7. That everything should be done from a root shell, and that you should have to know the "uber-secret root password" to get that access

My first reaction to this blog posting was that the author had no idea how to use sudo properly or why you would want to. My...

0 0
6

I have this code to execute a command with and without using sudo option

String sudoScript = "sudo -u root -S ls /"; String script = "ls /"; try { System.out.println("==================================="); System.out.println("command="+sudoScript); Process p1 = Runtime.getRuntime().exec(sudoScript); System.out.println("p2.waitFor()="+p1.waitFor()); BufferedReader stdInput1 = new BufferedReader(new InputStreamReader(p1.getInputStream())); while ((sudoScript = stdInput1.readLine()) != null) { System.out.println(script); } System.out.println("==================================="); System.out.println("command="+script); Process p2 = Runtime.getRuntime().exec(script); System.out.println("p2.waitFor()="+p2.waitFor()); BufferedReader stdInput2 = new BufferedReader(new InputStreamReader(p2.getInputStream())); while ((script = stdInput2.readLine()) != null) { System.out.println(script); } } catch (Exception e) { e.printStackTrace(); }...
0 0
7

Hello,

I'm having problem with my sudo. It always denies my attempt as if my password was incorrect. There is a clear time difference when I write correct and incorrect password (sudo always lags for a second when user enters wrong password).

My distribution is Arch linux.

I installed fresh version of sudo, problem can be reproduced.

Code:

[root@sigma /]# sudo -V Sudo version 1.8.5p2 ... [root@sigma /]# ls -l /etc/sudoers -r--r----- 1 root root 2849 May 31 13:37 /etc/sudoers

If /etc/sudoers is configured to forbid me usage of sudo, it asks me for password, but never accepts authentication.

Behavior is same when I allow sudo usage for wheel group and add myself to wheel group.

Code:

[root@sigma /]# cat /etc/sudoers|grep wheel ## Uncomment to allow members of group wheel to execute any command %wheel ALL=(ALL) ALL # %wheel ALL=(ALL) NOPASSWD: ALL [root@sigma /]# su skyer [skyer@sigma /]$ groups wheel audio users wireshark skyer

I...

0 0
8

In some environments, it may be desirable to give users admin rights while restricting those users from being able to run commands with root privileges while using the command line.

A way to achieve this “admin user in the GUI, standard user on the command line” method is to edit the /etc/sudoers file. This is the configuration file referenced by the sudo command line tool, which allows a user with the correct sudo rights to execute a command with root privileges, or using another user account’s privileges.

By default, all user accounts with admin rights on both OS X and macOS have full rights to use the sudo tool. By removing those accounts’ rights for sudo from the /etc/sudoers file, user accounts with admin rights will not be able to run commands with root privileges using the sudo tool. For more details, see below the jump.

Editing /etc/sudoers

To edit the /etc/sudoers file safely, make sure to use the visudo utility. This application will do a...

0 0
9

OK. We're not supposed to use sudo when launching a GUI application that needs root access. We're supposed to use gksudo (or possibly pkexec -- I haven't researched that yet). I found a thread that talked about finding any files we might have messed up by using sudo instead of gksudo. It said to use:


Code: Select all

find $HOME -not -user $USER -exec ls -lad {} \;

which, as far as I can see, lists all files and directories in my home directory where I'm not the owner. In my case, the result is:


Code: Select all

find $HOME -not -user $USER -exec ls -lad {} \; drwx------ 2 root root 4096 Jul 25 14:03 /home/dave/.cache/dconf find: `/home/dave/.cache/dconf': Permission denied drwx------ 2 root root 4096 Jul 25 14:04 /home/dave/.config/leafpad find: `/home/dave/.config/leafpad': Permission denied -rw-r--r-- 1 root root 66 Jul 25 15:07 /home/dave/.selected_editor

To the best of my knowledge, I've never done anything with ....cache/dconf,...

0 0
10
Hi I'm running 16.04.2 LTS, uname -r shows 4.4.0-78-generic, and I don't know why but when I try to run: it prompts me three times for my password the first two times saying Sorry, try again. the third says sudo: 3 incorrect password attempts

I've booted from live cd and reset my root password, verified I was in the sudo group, even added myself directly to the sudoers file.

I've purged and reinstalled sudo and ubuntu-minimal

From root I've changed my user password

At this point I'm stuck and haven't found anything else in my searches to resolve this issue. I can re-install from scratch but was looking to see if there was some other simple fix first.

The hard drive was full at one point but I cleaned up space, removed all the old images and headers, apt-get update && apt-get upgrade work correctly, and I've even run a reinstall_all.sh.

I'm not sure what my /etc/pam.d files should all look like, if anyone has a list of files and their contents that...

0 0
11

We created Sudo to help put safety and privacy back in your hands.

In a world consumed by Wikileaks, identity theft, security breaches, and public and private data miners, the time has come to fix what is wrong with the Internet—namely that everything we do is recorded, analyzed, stored, and sold to the highest bidder. Using strong anonymity and advanced encryption, our apps have been designed for use by everyday consumers for every part of their online world. The result is a platform that gives anyone the power to create a proxy – or avatar – for their identity that can be used in both the online and offline world to safeguard their data, while insuring the safety and security of their identity and online...

0 0
12

Have you ever needed to run an X11 based program like emacs or firefox in a sudo session and received one of the following errors?

This blog describes how to fix the problem.

I needed to solve this problem because there are a number of hosts on my network that do not allow root logins for security reasons. As a result I have to log into these hosts as a non-root user and then create a sudo session to perform administrative functions. Furthermore, I often do this remotely via XRDP, VNC or FreeNX through an ssh tunnel (or VPN) so there can be multiple credentials set.

To run an X11 based tool, I need to set the proper X credentials in the sudo session. I used to do this manually by manually looking up the xauth list for the original login and then adding them using xauth add in the sudo session but I recently figured out how to make it work with a single command.

The basic steps are:

Login into the remote host. Make sure that X11 forwarding is...
0 0
13

This is a completely useless post, but it’s possible to configure sudo to return insults instead of the default error message when you type the wrong password.

To enable this feature, edit /etc/sudoers (with visudo for example) and change the line:


Open a terminal windows as a normal user, type a command with sudo and input the wrong password. Here are a few examples:

$ sudo bash
[sudo] password for testman: xxx
Are you on drugs?

[sudo] password for testman: xxx
Maybe if you used more than just two fingers…

[sudo] password for testman: xxx
Listen, burrito brains, I don’t have time to listen to this trash.

[sudo] password for testman: xxx
You silly, twisted boy you.

[sudo] password for testman: xxx
What, what, what, what, what, what, what, what, what, what?

[sudo] password for testman: xxx
You do that again and see what happens…

[sudo]...

0 0
14

---January 13, 2005

You mignt want to have a look at what "Tidy for FreeBSD" has done to the title of the page, though, 'cos it don't look too tidy, to me!

---January 28, 2005

My fault.. been doing a lot of cleaning up with tidy, but apparently a little too quick and didn't check the errors closely enough.

--TonyLawrence

Fri Mar 25 05:07:33 2005: 233 anonymous

I find this article to be very useful as i always used to think whether is the principle sudo possible and now it became possible ...:). It wud be better if the Security part regarding environmental variables part is more elaborated.... Anyway, thanks for the article as it was useful for me, beginner...

Tue Mar 29 02:39:07 2005: 241 anonymous

Is it possible to specify the list of commands that are not allowed.

Tue Mar 29 10:02:16 2005: 243 TonyLawrence


Yes, it's POSSIBLE to say "these are the commands that you can't run", but it's not a good idea...

0 0
15

Advanced users may need to add a user account to the sudoers file, which allows that user to run certain commands with root privileges. To greatly simplify what that means, these newly privileged user accounts will then be able to execute commands without getting permission denied errors or having to prefix a terminal command with sudo. This may be helpful (or necessary) for some complex situations, but it poses a security risk for others, thus this is not something that should be casually changed. Generally speaking, most users are better off using an admin account, using sudo on a per command basis, or enabling the root user. Nonetheless, directly modifying sudoers has plenty of usage situations for advanced individuals with in-depth knowledge of the command line, and it is for those more complex situations that we’ll focus on adjusting the sudoers file as described here.

The sudoers file is located at /etc/sudoers but, unlike /etc/hosts and many other system...

0 0