I thought the general strategy was to not give daemon accounts shell access at all. Getting shell access is the hard part for a malicious actor. Once you have shell, root access is just a matter of finding a piece of unpatched software with a privilege escalation exploit out there. Plus, there's still a lot of damage you can do without root access.
I wonder if it comes from having a windows mindset and the way windows screams at you about unauthorized software and forces you to use an administrator password for random arbitrary things while saying it's for your protection. With windows background as a single user operating system, heavily targetted by malware this makes sense.
Then they come onto linux, find out they need to use sudo to install things from package managers or access files in the root directory and immediately that protecting themselves mindset comes into play. However, taking into account Linux's background as a multi-user operating system, this mindset makes less sense as the tools while working similarly at a shallow level, were designed for totally.different purposes.
random arbitrary things
From what I can see that's not the case at all. In fact for me it seems rather sudo-y. Want to change system files? Need sudo / UAC. Want to install software (which is basically like the first case)? Need sudo / UAC? Want to screw up your home directory? No need for sudo, no UAC.
Also, the normal UAC setup for a consumer device does not require a password, just pressing a button.
As a novice Linux user, that was exactly my mindset and reasoning.
That's not really true. An unprivileged user shouldn't be able to take down a production system, or really adversely effect other users. Assuming you have disk quotas enabled, what else could an unprivileged user do?
Why do these people have shell access to production systems in the first place?
I have access to this box and it has granted me access to some other system which has useful data, like a database, NFS mount, or S3 bucket. Let me hop in here and grep for something juicy to steal, maybe flip some bits around to fuck with people, or just delete shit.
How about deleting everything under /var/www/?
>only running `sudo service` so they can log in an restart a service, but not make any other changes
So you think too, its a security measure?
For example, a short fence can be considered a security measure, though it can be purposefully stepped over. Maybe it only serves as a guide, or maybe it protects a window from a nearby soccer field.
In that same way, the sudo example you're deriding can provide the 'security' of making the proper workflows more visible to the user- without being designed to keep out a malicious professional hacker.
I don't think it's useful in protecting against people with the intent to break stuff. A malicious person doesn't necessarily need root to do damage, and if they do, then there are many vectors for obtaining elevated privileges from within a shell.
I do think that it's useful for keeping users from within your organization from doing damage by accident. Like, you could enabled a person to log in and restart a service, but prevent them from mucking around with configurations.
They don't stop people from intentionally doing it.
For that you could just do
alias sudo=su -c
I suppose the main advantage of sudo is it gives you more granular control over which commands are allowed and which aren't. For example if you're building a robot, you can allow the robot's process access to /sbin/shutdown to be able to restart the system on remote command (or lack of remote command).
This will not work. sudo cp aaa bbb will work but su -c cp aaa bbb will complain that the user aaa does not exist, you need to quote them instead, like su -c "cp aaa bbb".
It would make more sense to make it a script
#!/bin/sh
su -c "$@" pi ALL=(ALL) NOPASSWD: ALL
This is one reason I increasingly don't like the normal Linux distro "system packages, plus everything else under the sun, with one interface and all co-mingled" default package management solution. I big fat "update the system" (or don't) button with my user-installed packages totally separate, as I get with macOS, is nicer. This made worse because, unless you're self-managing the base system and keeping it super minimal (as one might in Gentoo, Arch, or Void) Linux installations are weirdly fragile, I think in part because of this too-large package ecosystem all tied up with the "core" of the OS.
Especially on a single-user system, I should be able to install most software without escalating privileges. I should be able to blanket-update my user-facing software without any risk whatsoever that a kernel update will get thrown in with that (even if I don't read over the list to check—it shouldn't even be possible), nor with privileges to perform such even if it somehow did try to sneak in. I ought to be able to delete the directory with my user-installed packages and the system still boots with no errors or warnings—and yes, with a GUI and audio and networking and all that still working.
I know Nix and even a Homebrew port (with worse package availability, though) are options for achieving something kinda like this but it still feels like swimming against the current.
And have to update each software package manually as in windows/macos? (even worse, have a backdoor updater build-in on packages)
> I should be able to blanket-update my user-facing software without any risk whatsoever that a kernel update will get thrown in with that
But why? Any and all security updates should be installed as soon as possible, regardless if it is a kernel update or a browser update.
I only use Windows for gaming so IDK there, but almost everything I use on macOS is installed with Homebrew (a package manager). Even crapware like Slack. Though yes some of those do decide to use their own built-in updaters after that—no helping that, if you must use their software, but being able to script installation of them through one interface is really nice.
> But why?
It shouldn't be possible to break one's system with the same tool, commands, and privileges one uses to install Tux Racer. Installing normal user-facing packages shouldn't require privileges that even allow for screwing with basic system software.
> Any and all security updates should be installed as soon as possible, regardless if it is a kernel update or a browser update.
God damn I guess I picked a bad example because folks are really stuck on that. Reverse it then: if I want the latest drivers, xorg, and kernel, including feature updates, what's that got to do with my installation of Tux Racer? Why are those connected in any way whatsoever? Why do the same tools manage installing and updating both? "Build it from source then" yeah but I like package managers except for oddball stuff like dwm, I'm not saying get rid of them.
I could use Homebrew or Nix on top of some distro but that's a road full of jank and more fiddling-with-trivia than I have patience for these days. I'll crankily live with Void Linux for now and pine for a robust, small, tested, rock-solid base system built for using one or more complementary and supplementary user-facing package managers on top of. I mean macOS isn't even built for that, exactly, it just suits the case very well. I wish there were a Linux distro that did, too.
Today we live in the land of plenty. Computer hardware is so cheap, it's practical to put together a respectable lab with gear literally pulled out of a dumpster. The reason Windows and Mac OSes have a sharper line between system software and user software is because modern advances have made computer cheap enough that not only does almost everyone have their own personal computer, almost everybody has more than one. As a result, Windows and Mac have always been mostly single-user systems. Yes, yes, they support having multiple _accounts_ but usually by one person at a time, which limits the number of accounts (as a practical matter) to a handful at best.
All of the major Linux distributions were designed in a time where large multi-user systems were the norm. Disk space was limited, memory was small, CPU cycles were few. Unix (and hence Linux) was designed to make efficient use of these limited resources by installing popular software system-wide with shared dynamically-linked libraries because that was the only way to even _fit_ a few hundred users on one system. As a sysadmin, I get cold sweats thinking about what would have happened if every user wanted their own personal copy of Emacs on such a system.
> Especially on a single-user system, I should be able to install most software without escalating privileges.
I do believe you can, see Snaps and Flatpak. These run on just about everything. But there is a steep price: user-isolated applications can take an order of magnitude more disk space and significantly more memory compared to OS-built packages, see https://www.reddit.com/r/pop_os/comments/gia8s1/flatpak_pack...
If you're looking for a Linux distro that behaves more like Windows and Mac, you're in luck because Ubuntu is hurtling themselves in that direction as quickly as they can by making snaps compulsory on every desktop install.
> I should be able to blanket-update my user-facing software without any risk whatsoever that a kernel update will get thrown in
So, I think you have it backwards. Kernel updates generally contain important security or bug fixes and you absolutely _should_ be installing those and rebooting _well_ before even acknowledging the existence of your userland apps.
With that logic DOS/Windows and even Mac OS (X) should be even worse regarding that then, after all both Mac OS and DOS are older than Linux. Not to mention that servers always had better cpus/more ram compared to personal computers.
> Unix (and hence Linux)
Mac OS X is officially recognised as a Unix. Just one of the registrations: https://www.opengroup.org/openbrand/register/brand3581.htm
> installing popular software system-wide
This is exactly what windows does. Most of the times the installers need admin privileges.
> see Snaps and Flatpak
Nix (which was mentioned by the person that you are replying to) is an even better solution. In fact you can run it on top of existing distros too. Also, package managers for programming languages (such as Haskell's cabal and even Python's pip I think) have Nix support now.
An alternative is to use appimage which is just a single executable per software.
I think this is largely beside the point, and not because concerns about resource use are outdated. Linux already has the concept of user groups. Just make packages installable per-group or per-user. There, issue almost entirely mitigated. The default case for single-user systems could even be group-install, since it'd look basically the same anyway—it's multiuser systems where true per-user package management might make sense, but isolation from basic system software management makes sense in either case.
> If you're looking for a Linux distro that behaves more like Windows and Mac, you're in luck because Ubuntu is hurtling themselves in that direction as quickly as they can by making snaps compulsory on every desktop install.
I'm no old-timer (yet) but my first couple computers had actually-floppy floppy disks, so I remember resource constraints well and remain conscious of them to an above-average level, I think. Ubuntu these days is buggy bloatware with little extra going for it in exchange, and has been for a long time. For ~3-4 years early on they were doing a good job of curating a decent Linux desktop experience with reasonable defaults (as in "Epiphany? LOL no, our desktop metapackage will install Firefox, TYVM") but those days are long past. Snaps are so plainly godawful that it's got to be internal politics that let them get this far, and keeping them alive—but such a thing is only a tempting development target because software management on Linux is all mixed up with keeping the system bootable and fundamental hardware features working to a basic level, which is the thing I'm not happy with.
Login to the developer’s machine as in? What if they disabled SSH password auth?
I mean, if you already made them run a random script why would you even care about their password?
If they do, then it doesn't matter if it uses/fakes sudo, or not. They have some bigger problems.
I have some extra user accounts that I can sudo into to run scripts, plugins etc from e.g., github that I trust somewhat but not 100 percent. In case they do start mining bitcoins or sending spam mail I will find out and stop it.
But for shared linux servers, sudo is very useful. It allows controlling which users are allowed to administer the system. (Generally, people who aren't sudoers can only view log files or do other readonly things). It's much better than letting people login as root directly since it keeps an audit trail of who is actually administering the device (they will show up using the `users` command, for example).
I rarely use sudo to do any fine-grained access control - it's almost always an all-or-nothing configuration - specific users are granted full access (with passwords), and everybody else gets none. I suppose this means that I use only 5% of it's functionality, but this 5% is quite useful.
That is a fine thing to do. But when your operational processes are that structured, you're more likely to be doing code-reviewed changes to a configuration management repo, poking the API of a cluster scheduler, running playbooks in Ansible Tower or Jenkins, or something else that doesn't involve personal shell access.
Why in 2020 do we still have non admin users on a host? Services! I still have non-admin users on my hosts for www, databases, etc.
Without sudo, the alternative would be for ssh to PermitRootLogin which is theoretically safe if root has a strong password etc, but in practice — should there ever be a bug in openssh that exploits permissive root logins — would needlessly expose systems to such a bug.
What it doesn't do is run everything with root permissions giving every process you run access to the entire filesystem, which is what you would be doing without it.
Any time I'm on Linux, I usually operate as root to avoid this annoyance and I put more weight into securing the machine in other ways - IP restrictions, cycling keys, cycling the servers, etc.
Sudo can prevent rookie mistakes, like wiping an OS or removing certain directories, but I consider most machines I work on to be ephemeral anyways, and anytime I make one of these mistakes it is a reminder to not do that next time - I prefer this to being hand-held and denied access superficially.
Oddly though, I do like that `sudo` exists in its current form, for people who are not as experienced. For me personally, I almost never interact with it.
Occasionally we do need to access system level resources, and `sudo` allows us to do this in a way that forces us to acknowledge that we are doing something more dangerous. However, we prefer using automation tools such as Chef to accomplish those things in a measured, repeatable way.
If a Windows user is tricked into downloading some malware, and runs it by using their local admin rights to bypass the UAC prompt, then the system is owned. I believe this is the same risk with sudo, although the hope is that the extra authentication prompt gives the user the opportunity to re-evaluate whether or not they want to run the command as a privileged user.
2. sudo can be used for both running a limited set of commands and for running an unrestricted set of commands. These are also two different cases. It's a bit tricky to ensure your limited set of commands are secure (you need to make sure none of the commands allow you to run unconstrained commands in turn), but if you do it, that is a meaningful security limit compared to giving a user account unrestricted sudo or running that code as root. This isn't usually relevant for typical desktop systems, but if you're looking at designing some more involved deployment, it's relevant.
3. For a multi-server deployment with a team of sysadmins, the question isn't really about sudo vs. su vs. ssh as root - the question is about the chain of accounts between a sysadmin's keyboard and their privileged shell. If you can come up with a design where the account that they can use (directly or indirectly) to log into root is more highly trusted than their everyday account (the one they use for downloading software from the web and trying it out, running code written by other people in the company, etc.), then there's a meaningful benefit. There's a lot of ways to do that. One is to allow them to log in from their workstation's account to both a privileged sysadmin account with sudo and an unprivileged everyday one, and they do their work logged in elsewhere with the unprivileged account. One is to allow them to log in from their workstation's account directly to root, or to an unprivileged everyday account - it's weaker in terms of auditing but it has the same security properties as the previous solution. One is to set up multiple local accounts on their workstation, one privileged and one not, so they can work locally with their unprivileged account. The important bit is that the unprivileged account can't escalate to the privileged one. It doesn't matter if it does so with sudo or with su or with ssh or whatever, all of those can be used to escalate privileges.
If you really want, you can apply the scheme above to your desktop system. Make two accounts, have one be an admin account and one not. If you're installing drivers etc. switch to the admin account, but otherwise work in the non-admin account. If the non-admin account gets broken into, you can reliably use the admin account to wipe it and restore from a known-clean backup. That's generally annoying in practice, though.
I'm pretty sure X doesn't support SAKs at all - any program can intercept any keystrokes. Maybe Wayland does, but then you somehow need to integrate your sudo binary with Wayland. And good luck getting that to work over SSH.
Despite the chosen solution on SO - and from how the question is stated, it is clear that the asker only wanted confirmation -, sudo has its uses, even if is not perfectly secure (especially with the default configuration).
I suggest a more sensible approach for all security-related discussions: All systems have vulnerabilities, but some improve your security posture.
If you don't have particular use for it, just don't use it.
sudo was most useful when computing mostly occurred in shared runtime multiuser environments, as found in many research universities from the 1970s through the early 2010s. It was useful in this situation because it allowed selective granting of privileges to regular users (students, researchers, professors) to run commands otherwise only available to the superuser (sudo = "substitute [root] user do").
Those were the days of asking your sysadmin for root access to do something potentially dangerous to the system or disruptive to other users on the shared Unix system (i.e. running the "shutdown" command, or listening on a reserved network port). sudo allowed the sysadmin to trust specific users with certain commands they wouldn't otherwise be able to run.
sudo (and its GUI equivalents) was then adopted into personal computer OS's as part of the first push to secure consumer OS's against their own users corrupting them inadvertently, or via the emerging problem of computer viruses. At the time, consumer OS's (win3.x - win95, original MacOS) ran all software with administrative privileges.
Those OS's were replaced by enterprise equivalents that were designed with stronger access control features (windows NT, and the BSDs that became MacOSX).
The idea was that common tasks of the time (i.e. word processing, spreadsheets) would run as regular user accounts, and things like installing software or changing system settings would trigger a password prompt), just as happens in an enterprise or shared multiuser environment.
But consumer OS's basically have a single logged-in human user at a time. Thanks to the web, when computation needs to happen on a remote, shared compute machine, it happens over some form of RPC or API. Other concurrent "users" on most computers are usually system processes, not real users. How many of us login into a remote shared "compute" system anymore? Heck how many of us even remember doing that?
Mobile OS's, and increasingly desktop OSs are evolving into managed runtime environments, which by design have no facility for "root" access at all, often to the chagrin of tinkerers who miss having the ability to modify OS internals. Even server-based apps are designed to run in containers that run in managed server environments.
Anymore, there's hardly a good reason to design most systems and software to require root access to install or run anymore. And yes, there are exceptions to this but those are usually for legacy software, or very specialized use cases like OS development itself.