[sudo-users] How does sudo improve security.

[Kevin]

On Apr 8, 2005 4:03 AM, Pico Geyer wrote:
> Another problem that I have is that I don't know what to allow normal
> users to do. The way we are doing it currently is that all users have
> the root password. I agree that this is not the best of mechanisms, but
> we are a very small company and I am the self proclaimed system
> administrator. Any recommendations on how I should limit users.

Assuming that today all users have the root password, then the obvious
"next step" is to give all users sudo access to !SHELLS (all commands
except launching a subshell) and train them to use sudo to do the tasks
they were previously using root for.

After a few weeks in this mode, review the sudo logs, and start to
build a sudoers which restricts users to commands they actually use;
this is, IMHO, much more effective than asking the user base what
commands they *feel* the need to be able to run as root.


> I was thinking of allowing them to install software through RPM but I
> not sure what else to allow/disallow.

For a malicious user, even this could be enough to get full root access...


> Also any comments on a hacker gaining access to your account and then
> because your using sudo, the hackers job is made easy because he has
> more rights than he normally would?

This is absolutely a problem.  Personally, I deploy "sudo" using
SecurID authentication (http://groups.yahoo.com/group/securid-users/),
so a hacker would not immediately have elevated access.

Using SecurID (or any OTP) with sudo sounds like a major hassle,
but when used with a high "timestamp_timeout" value (along with
"tty_tickets"  and "sudo -k" in a .logout file for security), using OTP
with sudo is not nearly as painful as it sounds.


>> Matt [mailto:mlh at zipworld.com.au] writes:
>> It only improves security in comparison to the alternative.
>> That alternative is often give everyone the root password.

Exactly.

One reason I use sudo is because I don't have to run around
changing the root password and handing out the new password
to all administrators every time somebody leaves the organization.

When I worked at Motorola, we had one employee who spent
more than half their time changing passwords and distributing
new "cheat sheets" with the updated password lists.  Insanity.

The security advantage of sudo is that, in an environment where
some users must be given the ability to run specific commands
with elevated privileges, giving them limited access to specific
commands with specific arguments, and providing an audit trail,
is an improvement over just handing over the root account and
hoping for the best.

Another neat feature of sudo in very large environments is that
you can build a single universal sudoers file using host and
group aliases, and push out the same file to hundreds of servers
while still giving individuals and groups different levels of access
on different servers or groups of servers.


Kevin Kadow