:: Re: [DNG] sudo or su?
Top Page
Delete this message
Reply to this message
Author: marc
Date:  
To: dng
Subject: Re: [DNG] sudo or su?
> I followed the standard settings of the installer which leads me to
> have root and (a) user.
>
> Now, i know there are different philosophies about the use of sudo.
> Frankly, is there any relevant difference between 'sudo + command' or
> 'su -c + command'?


Hello

The first thing to do when looking at any bit of security mechanism is
to figure out the threats which it can counter (the threat model
that the authors had in mind):

Sudo:
  * protects users against password fatigue - desktop unix users
    only have to remember one password
  * discourages unneeded/careless root logins
  * allows elevated command execution on a finer grained basis than su


Su:
  * prevents immediate root escalation when somebody intercepts/shoulder
    surfs/sniffs the user password (root might only be needed occasionally,
    normal user password is provided at each login)
  * at least makes it possible to offer a trusted path


The last bit about trusted path is really quite important,
particularly as the biggest threat that the contemporary
desktop unix user faces is the javascripted web browser:

So in a normal environment, once the user account has been
broken, there is no reasonable way that it is possible for a
user to work out if the password they are typing at the sudo
prompt is actually going to sudo directly or being intercepted
by a dodgy piece of code. The attacker could have straced the
terminal application, or replaced the any one of the terminal
process, shell or sudo with a subtly modified one, or done any
other number of tricks (X server key capture, screen session,
etc, etc). Yes, I know, in some environments strace is disabled
for unprivileged users - but this is a travesty for developers
and amounts to security theatre[1].

On the other hand, having a function root account with separate
password allows one to log in to a box which holds a compromised
user account without giving the attacker root. Possible options:
Remotely via ssh (a counterintuitive argument to actually admin a
remote system using root directly (!)), or in single user mode,
or just maybe even at a text console, using sysreq to kill
possible sniffers[2].

TLDR: sudo protects naive users against rookie mistakes, at the
cost of making user level compromises much worse[2].

regards

marc

[1] Npghnyyl vg vf jbefr guna gung. Qbja guvf cngu yvrf gur n ybpxrq
qbja nccvsvrq raivebazrag, jurer abezny nppbhagf pna'g pbzcvyr be qroht
pbqr - naq jurer lbh arrq ebbg gb or cebqhpgvir.

[2] Naq vs lbh ner tbvat gb nethr gung n hfre pbzcebzvfr vf rnfvyl
ghearq vagb ebbg npprff naljnl naq guhf fhqb vf whfg fbbbb zhpu orggre,
gura nfx lbhefrys jul bar fubhyq unir n hfre/ebbg frcnengvba gb ortva jvgu