Some thoughts on what
sudo emails to ignore and to not ignore
If you run a multi-user system with
sudo and your users are anything
like ours, you will periodically get email alerts from
users trying to do things. In theory and in an ideal world all of these
emails would be evidence of malign intent because, after all, they're
all from unauthorized users trying to do things as root.
In the real world this is not at all the case. In practice we get a
lot of email from
sudo about users trying to run things like, oh,
easy-install PKG' or '
apt-get install PKG' or '
npm install PKG'.
You get the idea. Although we've never tracked down the users involved
to quiz them about it, my assumption is that they've found some 'how to
install X' guide on the web, the guide uses
sudo because it's focused
on single-user machines (or machines where you're the administrator),
and they are rationally following the guide. I can't expect that our
users necessarily even know what
sudo is and it's not as if
gives you a big glaring warning about this when you run it; it just
prompts you for a password (and then doesn't tell you why things didn't
work, which of course leads users to thinking that they entered their
password wrong and trying several times).
(We've gotten enough of these emails that we actually wrote a
cover script that just tells people 'this won't work, please contact
your point of contact for assistance'. It
doesn't work all of the time for various reasons but it really cuts
down on the noise, and at least we're trying to be friendly.)
But every so often we get sudo emails
with commands that look far less innocent, commands like '
-'. I've now learned that sudo attempts that don't look like they
have a straightforward or innocent reason ought to be fully
investigated. I think we're going to be bothering users in the
future for explanations even if there are no signs that their
accounts have been compromised. What exactly are such commands?
I'm not sure yet but I'll probably start with anything that doesn't
have an obvious explanation. We'll inevitably be refining our views
of this as we talk to users and see why they wound up running
sudo commands. Cynically I expect to find that
there are an awful lot of instructions out there on the web that
have people doing remarkably alarming things through
(In our recent security incident the
intruders immediately tried to do '
sudo /bin/su -'. This is now
an immediate 'drop everything and go digging' trigger for me; the
odds appear very good that any account that tries to do this has