Wandering Thoughts archives

Some thoughts on what sudo emails to ignore and to not ignore

If you run a multi-user system with sudo and your users are anything like ours, you will periodically get email alerts from sudo about users trying to do things. In theory and in an ideal world all of these emails would be evidence of malign intent because, after all, they're all from unauthorized users trying to do things as root.

In the real world this is not at all the case. In practice we get a lot of email from sudo about users trying to run things like, oh, 'easy-install PKG' or 'apt-get install PKG' or 'npm install PKG'. You get the idea. Although we've never tracked down the users involved to quiz them about it, my assumption is that they've found some 'how to install X' guide on the web, the guide uses sudo because it's focused on single-user machines (or machines where you're the administrator), and they are rationally following the guide. I can't expect that our users necessarily even know what sudo is and it's not as if sudo gives you a big glaring warning about this when you run it; it just prompts you for a password (and then doesn't tell you why things didn't work, which of course leads users to thinking that they entered their password wrong and trying several times).

(We've gotten enough of these emails that we actually wrote a sudo cover script that just tells people 'this won't work, please contact your point of contact for assistance'. It doesn't work all of the time for various reasons but it really cuts down on the noise, and at least we're trying to be friendly.)

But every so often we get sudo emails with commands that look far less innocent, commands like '/bin/su -'. I've now learned that sudo attempts that don't look like they have a straightforward or innocent reason ought to be fully investigated. I think we're going to be bothering users in the future for explanations even if there are no signs that their accounts have been compromised. What exactly are such commands? I'm not sure yet but I'll probably start with anything that doesn't have an obvious explanation. We'll inevitably be refining our views of this as we talk to users and see why they wound up running somewhat innocent sudo commands. Cynically I expect to find that there are an awful lot of instructions out there on the web that have people doing remarkably alarming things through sudo.

(In our recent security incident the intruders immediately tried to do 'sudo /bin/su -'. This is now an immediate 'drop everything and go digging' trigger for me; the odds appear very good that any account that tries to do this has been compromise.)