[X-Unix] Re: Root Exploit via sudo

Tom Shaw tshaw at oitc.com
Tue Apr 12 21:24:09 PDT 2005 

At 4:53 PM -0400 4/12/05, Timothy Luoma wrote:
>On Apr 12, 2005, at 8:58 AM, Kuestner, Bjoern wrote:
>
>>>if you simply change the place where sudo logs to,
>>>the security hazard is removed without added inconvenience.
>>
>>I think you have to not only change the place but also
>>a) secure that a script cannot easily read from a config file the new
>>location
>>b) better, secure the permission for the new log file.
>
>If you read the official note at
>http://www.securityfocus.com/archive/1/395107/2005-04-03/2005-04-09/0
>
>it will recommend to change the logging to /var/log/secure.log which 
>is owned by root and chmod 600 by default
>
>>Even then I'm not sure if that is secure enough for the paranoid 
>>(does not include me). But as the devil's advocate I could imagine 
>>a script that tries to run a sudo command every four minutes. I 
>>don't think you're blocked in any way if you fail with a sudo 
>>attempt. So sooner or later an attempt will succeed because the 
>>user happened to use sudo 2 minutes before that.
>
>True, however if someone can login to an account with admin 
>privileges then you already have security problems.
>
>>I guess the only secure way for OS X and other Unixish systems is 
>>to remove the grace period after a sudo command.
>
>The tty restriction:
>
>Defaults:ALL  tty_tickets
>
>is a good one.
>
>I'm concerned that removing the grace period entirely would lead 
>people to choose weaker passwords, which is a much bigger security 
>threat.

I am still at a loss with this thread. What is the key real issue? If 
you can sudo then you have an admin PW and you can muck about without 
issue so what's this thread really about? Maybe its about being a 
little sloppy and an academic usage of trojans.

Although I agree with the security focus article in principal, too 
many of use operate our day-to-day accounts as admin accounts as well 
- intrinsically a bad move. Properly, you should never use an admin 
account for day to day work - it would be like logging on to linux as 
root for day-to-day activities.  I find it amazing that securityfocus 
would call out OSX in particular as this "risk" is true for any user 
on Unix or Linux derivative who has sudo privileges.  Properly 
handled the account you sudo with should not be one you muck about 
with publically and when sudo'ing or running as root care must be 
taken

Additionally, lets look at relative risk. If you have a public IP or 
are behind a router/firewall and have SSH open "because its secure" 
and are using stock out-of-the-box defaults you have a much larger 
risk going on than the the one securityfocus proposes.

Tom

More information about the X-Unix mailing list