Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 25 Mar 1999 17:22:22 -0600 (CST)
From:      James Wyatt <jwyatt@RWSystems.net>
To:        Matthew Dillon <dillon@apollo.backplane.com>
Cc:        "Bruce A. Mah" <bmah@CA.Sandia.GOV>, freebsd-security@FreeBSD.ORG
Subject:   Re: sudo (was Re: Kerberos vs SSH)
Message-ID:  <Pine.BSF.4.05.9903251642150.23152-100000@kasie.rwsystems.net>
In-Reply-To: <199903252044.MAA02527@apollo.backplane.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Dillon wrote:
> :>     We used sudo for a little while 3 years ago, but I decided that it was
> :>     too big a security risk and wiped it.  sudo is one of the stupidest
> :>     programs I've ever seen.

Bruce replied:
> :I'd be curious to hear what you think sudo's shortcomings are, and why it 
> :merits being labeled as one of the stupidest programs you've ever seen?

Matthew replied:
>     Simple:  Because the program is designed to poke holes through root and
>     run specified programs.  It's fairly easy to misconfigure it, and there is
>     no guarentee that the programs it runs are themselves secure.  sudo opens 
>     up a whole can of potential security problems.

Not the answer I expected. How are these different from giving the user
the root password? The programs are run similarly - except that root's
path almost never has '.'? It is easy to forget that some programs like
'vi' can do shell work, allowing the user to use *any* program, not just
what they have been allowed to use.

With a group of admins, I can revoke *any* one of them while keeping them
around without 'sharing' new root passwords. It also logs which programs
which users run, /bin/su does not - root command history is global. I can
annoint a contractor or vendor's account for an emergency and de-annoint
later, while still allowing them to view operation.

The thing I don't like about it is that it makes programs like linsniffer
more effective. It looks at TCP startups of telnet, FTP, pop, etc... and
very nicely captures their password. Capturing root passwords from users
'su'-ing requires a *lot* more advanced sniffer or cracker intervention.
This easily captured password is sufficient for root access if the user is
allowed to do anything that might gain them shell. - Jy@



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9903251642150.23152-100000>