Wandering Thoughts archives


The security model of sudo versus su

Some time ago I wrote about the three faces of sudo, where one of the faces was basically 'sudo as the replacement for su in how sysadmins get unrestricted root privileges' and I said that this created a different security model than with su. Today I want to talk about what that new model is and how I see it differing from su's in a way that makes me like it less.

To start with we need to talk about the security model of su. Su has a simple security model: you must know the root password and generally be in a restricted group. Then you can either get a root shell or execute a command as root by giving su the root password, and you must do this for every shell or command that you want.

(If your version of su is not configured to require membership in group 'wheel' or the local equivalent, the security model is that anyone at all who knows the root password can use su to assume root powers.)

Sudo's normal security model is that if you are in a restricted group and know your own password, you can run commands as root or get a root shell by typing your own password. Once you've typed your password once you can then run commands as root without any prompt for a certain amount of time.

There are two big differences between these two security models. The first is the choice of password that you are challenged with, where sudo's choice is noticeably weaker. With sudo the security of root access rests not on the root password alone but the passwords of everyone who has root access. Since people's regular passwords are used much more often and more broadly than the root password, my view is that they are more exposed (including stored in programs). An attacker who compromises even one sysadmin password now has immediate access to root by logging in as the sysadmin and repeating the password that they already know; they don't need to compromise an additional secret.

The second is that sudo effectively creates a temporary environment where you have root powers by using a magic prefix. An attacker that can detect this environment (or try blindly) and inject commands into it (either directly or, for example, via a shell script that you're running) can hijack this special power even without knowing your password and immediately use root powers. My view is that this makes a post-sudo shell session unusually dangerous and damaging. It also somewhat increases the possibility of simple accidents, since an errant sudo command will go through without a pause that would give you a chance to reconsider.

Either or both of these changes can be turned off via sudoers settings. But then you've reduced sudo to a variant of su. Maybe that's what you want (sudo does have better logging than su and some additional features), but I don't think it's the common way to use sudo as a su replacement. Maybe I'm wrong here, though; I'd be interested to hear if places that use sudo as a su replacement turn off these.

unix/SudoSecurityModel written at 00:05:51; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.