[X-Unix] Re: Root Exploit via sudo

Kuestner, Bjoern Bjoern.Kuestner at drkw.com
Wed Apr 13 01:32:24 PDT 2005 

>I am still at a loss with this thread. What is the key real issue? If 
>you can sudo then you have an admin PW and you can muck about without 
>issue so what's this thread really about? Maybe its about being a 
>little sloppy and an academic usage of trojans.

I guess that's the underlying question, just how "academic" such a trojan
is. 

Within the history of sudo on Unix and Linux systems has there ever been
such a trojan? 

An then, within the history of sudo on Unix and Linux systems has there ever
been one which wrote sudo logs to a group-readable file vs. the more common
and here suggested root-only-readable file?

I'd be surprised if Apple would not fix this with the next security update
and within Tiger when there is such a simple solution at hand to retain the
good security reputation of OS X. Apple might consider the issue technically
silly, but politically and marketing-wise Apple would not help their brand
name if they start discussing about this. 

>Although I agree with the security focus article in principal, too 
>many of use operate our day-to-day accounts as admin accounts as well 
>- intrinsically a bad move. 

I confess, so do I. I tried to do without for a while. But there were just
so many apps that I like to use but which don't display the full
authentication dialog. Whenever they need elevated privileges they only ask
for the password, not for a login. Unless you're logged in as an admin you
cannot use these applications. )c:

Actually, that was a long time ago. Maybe I should try again what the
current situation is.

What are experiences of users here that do not use an admin account as their
main work account? And do they fiddle with the system much (where I could
imagine that the lack of admin privileges gets in the way like just to
install a new little tool to /Applications.)

>Properly, you should never use an admin 
>account for day to day work - it would be like logging on to linux as 
>root for day-to-day activities. 

No. Because even admins cannot simply "rm -rf /". They have to sudo and just
being asked for the password should (and does for me) put you in the mental
alert mode.

The same is true in the GUI. You're always asked for a password first to do
certain things. That's not the case with root.

Also many hacking attempts fail just by the simple case that there is no
root login on an OS X system (in the default configuration). With root
enabled that, too, is much worse than using admin as your daily work
account.

>I find it amazing that securityfocus 
>would call out OSX in particular as this "risk" is true for any user 
>on Unix or Linux derivative who has sudo privileges. 

Like I wrote above: probably not, because for all those read access to the
sudo log is much more restricted. It's OS X's default settings which cause
the problem, not a code or architecture problem.

This default setting simplifies the bad stuff that a trojan horse can do. 

Of course, from my perspective, all those systems which still have root
enabled (and many systems do, even in sensitive areas) actually run a
similarly significant if not a higher risk. But that, too, is just a matter
of the productive configuration and maybe the default configuration. Not
that Linux or Solaris or AIX in itself is insecure. You can run Solaris
without root. (Ah, or so I think. (c: )

>Additionally, lets look at relative risk. If you have a public IP or 
>are behind a router/firewall and have SSH open "because its secure" 
>and are using stock out-of-the-box defaults you have a much larger 
>risk going on than the the one securityfocus proposes.

Could you elaborate on that?

If I'm behind a router and have SSH open within my intranet, do you see a
specific security risk that is "much larger"?

And if I expose my SSH port to the internet, do you have specific security
issues in mind that I should be aware off?

Thanks,

Bjorn





_______________________________________________
X-Unix mailing list
X-Unix at listserver.themacintoshguy.com
http://listserver.themacintoshguy.com/mailman/listinfo/x-unix

Listmom is trying to clean out his closets! Vintage Mac and random stuff:
         http://search.ebay.com/_W0QQsassZmacguy1984


























--------------------------------------------------------------------------------
The information contained herein is confidential and is intended solely for the
addressee. Access by any other party is unauthorised without the express
written permission of the sender. If you are not the intended recipient, please
contact the sender either via the company switchboard on +44 (0)20 7623 8000, or
via e-mail return. If you have received this e-mail in error or wish to read our
e-mail disclaimer statement and monitoring policy, please refer to 
http://www.drkw.com/disc/email/ or contact the sender. 3167
--------------------------------------------------------------------------------

More information about the X-Unix mailing list