All that universal use of sudo does is encourage everyone to be in the habit of prepending "sudo " to any system-level command, without actually thinking about if this is a good idea. See all the tutorials that just assume you're using sudo always, so include "sudo " as a prefix on the commands.
If you'd always "sudo <command>" where someone else would "<command>" in their root login, then the only real difference is the logging. If that logging is of little value, then what's the real difference ?
Use of sudo makes the user's password in effect a root password, actually expanding the attack surface for gaining root. You'd better be sure that the user's password is always transmitted/used in a secure manner. No TLS-less anything.
@AthanSpod@fanf As another Demonite of that era who still uses that basic access pattern, I still get a small twitch of fear when I see a # prompt. I regard this as a good thing.
@fanf interesting post! I like using sudo and I feel like there's an attribute of my workflows using it that isn't captured in your post, apologies if I noodle here.
My interactive shell environment is pretty rich, and I like those affordances. (History, fancy prompt, editor settings, aliases, various app configs and bindings). I want to use those features while doing sysadmin. But I don't want to set them up for root!
And, I often want to poke around and think about things, testing theories, before I do something "for real". For example, I might build an awk and for-loop contraption to perform some admin task, iterating on it on the command line, safe in the knowledge I can't accidentally overwrite /etc/fstab, and after I get it working right, add a sudo to execute.
I even also do use the auth.log entries? Both to remind myself what I've done, and to figure out who changed something in the lab. It's pretty low stakes stuff tho.
i tend to use Many Windows with key shortcuts to make them convenient, so in the experiment -> for real workflow i use another terminal when i need rootly powers
(tho for serious stuff it’s more like experiment -> script -> for real)
when i’m sharing ops duties with others i typically . ~fanf/.bashrc to make a root shell palatable
@fanf One thing I didn't get from you post is — you mention web apps to cross security boundaries — and that doesn't make any sense to me.
But maybe I've just been stuck in a cave for far too long. Can you provide an example of such a web app?
i was thinking of the self-service commands a sysadmin might provide for their users on a university timesharing system
in the past i have had colleagues who used ssh with forced commands for similar things – i should have said more about ssh
there’s also the fact that systems are always distributed, so a single-box utility like sudo is less likely to be the right kind of tool than something natively distributed like a web form
@fanf Idk, I mostly see it used as some mix of 1 and 5 (I would group those together as one thing, half-ignoring the stated "single-user workstation" scope of 5) and there people would indeed be just as happy with a really that verifies user presence, which is basically what sudo gives them from a user pov.
I suppose another big point you make in that regard is about the sudo codebase and potentially complex configuration, but largely people don't do any kind of complex sudo configuration...
@hlindqvist i have been slightly surprised by how many people told me they like their complicated sudo setups, but they tend to be 1990s university sysadmins, which is much less surprising
@fanf interesting that that post doesn't mention the other way in which sudo is a bad userv, namely the far less controlled amount of user context it passes in to root. I guess you had enough complaints already!
If I had a user I didn't trust with full root and I needed to let them invoke one root service, I'd never do it by giving them access to 'sudo only this one thing', because it's too likely there'd be a way past the 'only' clause.
@fanf (though, that said, I do sometimes configure sudo to let me do a few things without a password, but only in accounts where with a password it lets me do any rootly thing I like. I don't really think of that as a security measure – if a serious attacker gets as far as that user account then I've surely already lost. It's more a balance between convenience for common commands, and the 'make you think twice' safety-catch of the password.)
@fanf I think sudo is a good replacement for setuid programs, especially setuid programs that you don't intend to make accessible to everyone, just to a restricted group. You could do that with other mechanisms, but sudo is very simple to set up and it's everywhere already.
Add comment