Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20041020195516.GA1766@openwall.com>
Date: Wed, 20 Oct 2004 23:55:16 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: Re: sudo: why not?

Hi Mike,

On Sun, Oct 17, 2004 at 12:18:02AM +0400, Mike Belopuhov wrote:
> I'm just skipping some gratitudes to Owl team ;-) and just asking
> a question: why sudo is not in Owl?  Always when I install Owl I
> can't guess why it is so.  It works fine with tcb.

Yes, but unfortunately both su and sudo are subtly but fundamentally
flawed.

Presently, the only safe use for su is to switch from a more
privileged account to a less privileged one (whenever this distinction
can be made) in a non-interactive script (without a tty).  As soon as
a tty is used, there is a security problem.  As soon as you su to a
more privileged account, there is another security problem.

We've been discussing privately how we might re-design su (or
improve Linux kernel interfaces) such that su would become safe in
presence of tty's.  However, even if that is done, su would still be
unsafe for accessing more privileged accounts from less privileged
ones.

Yes, it used to be common sysadmin wisdom to "su root" rather than
login as root.  Those few who, when asked, could actually come up with
a valid reason for this preference would refer to the better
accountability achieved with this approach.  Yes, this really is a
good reason in favor of this approach.  But it's also the only one.
And the reason I give against using this approach is that it
effectively allows anyone who could have compromised the otherwise
non-privileged user account used to su from to gain root (at the
next invocation of su by the admin).  So the separation between the
non-root and the root accounts is lost.

The alternative to "su root" is direct root logins.  If there're
multiple persons who need root privileges on a server, multiple root
privileged accounts may be created, -- which Owl now includes full
support for (note our msulogin package).

Now, let's approach your question about sudo.  As you can imagine, it
too has the problems of su.  A privilege is meant to be granted to a
non-user account temporarily, -- however, anyone who could have
compromised the account, even if they do not know the password (e.g.,
for a compromise through a CGI script or an FTP/IRC/whatever client
vulnerability), can gain ahold of the sudo-elevated privilege
permanently (by intercepting one sudo session during which the
password would be entered).

The above property is inherent to sudo.  However, besides it, there's
also an implementation defect.  sudo uses a blacklist, as opposed to a
whitelist, for disallowing "bad" environment variables from being
passed on to the program specified in the sudoers file.  No blacklist
can be complete.  The result of this is that it is generally possible
for a user listed in sudoers to get full shell access as the target
user (usually root) even if the specified command was meant to allow
for a certain action only.  On Owl, this problem is largely remedied
by the glibc -owl-sanitize-env.diff patch which strips glibc's own
risky environment variables on SUID exec (e.g., of sudo itself) such
that they would not be present on subsequent non-SUID execs (e.g., of
the command specified in sudoers).  But this is not something I like
to rely upon, and it only works for glibc.  The program invoked from
sudo may use other libraries and it may support its own environment
variables.

"sudo -i" almost achieves the desired effect (environment fully reset,
then populated with known-safe entries), except that there's no way to
force this behavior from a configuration file.

Of course, we may fix this implementation defect with a patch.  But
you've asked "why no sudo", -- and the above is the current answer.

Hope it helps, and thank you for trying to help.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.