Some thoughts on what sudo emails to ignore and to not ignore

February 6, 2014

If you run a multi-user system with sudo and your users are anything like ours, you will periodically get email alerts from sudo about users trying to do things. In theory and in an ideal world all of these emails would be evidence of malign intent because, after all, they're all from unauthorized users trying to do things as root.

In the real world this is not at all the case. In practice we get a lot of email from sudo about users trying to run things like, oh, 'easy-install PKG' or 'apt-get install PKG' or 'npm install PKG'. You get the idea. Although we've never tracked down the users involved to quiz them about it, my assumption is that they've found some 'how to install X' guide on the web, the guide uses sudo because it's focused on single-user machines (or machines where you're the administrator), and they are rationally following the guide. I can't expect that our users necessarily even know what sudo is and it's not as if sudo gives you a big glaring warning about this when you run it; it just prompts you for a password (and then doesn't tell you why things didn't work, which of course leads users to thinking that they entered their password wrong and trying several times).

(We've gotten enough of these emails that we actually wrote a sudo cover script that just tells people 'this won't work, please contact your point of contact for assistance'. It doesn't work all of the time for various reasons but it really cuts down on the noise, and at least we're trying to be friendly.)

But every so often we get sudo emails with commands that look far less innocent, commands like '/bin/su -'. I've now learned that sudo attempts that don't look like they have a straightforward or innocent reason ought to be fully investigated. I think we're going to be bothering users in the future for explanations even if there are no signs that their accounts have been compromised. What exactly are such commands? I'm not sure yet but I'll probably start with anything that doesn't have an obvious explanation. We'll inevitably be refining our views of this as we talk to users and see why they wound up running somewhat innocent sudo commands. Cynically I expect to find that there are an awful lot of instructions out there on the web that have people doing remarkably alarming things through sudo.

(In our recent security incident the intruders immediately tried to do 'sudo /bin/su -'. This is now an immediate 'drop everything and go digging' trigger for me; the odds appear very good that any account that tries to do this has been compromise.)

Comments on this page:

By Ewen McNeill at 2014-02-06 19:32:13:

Another thing I've found both as a user with sudo on some boxes and not others, and doing operations, is that sometimes users will just be in the focused on the wrong window when entering a command, or not having exited out of the last ssh session like they thought they had. Ie, some percentage of these are "oops, I thought I was doing that on my desktop" -- or home system.

I suspect you're right that "sudo /bin/su -" as a complete string merits investigation: it's much less likely to be typed by mistake (even compared with "sudo su -" which I do use occasionally on some boxes where I have root-via-sudo and need to enter commands that are trickier via sudo, eg, with IO redirection, or with root's path rather than my user one).


Written on 06 February 2014.
« An interesting internal Django error we just got
A surprise with OmniOS disk sizing: the rpool/dump ZVOL »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu Feb 6 02:01:34 2014
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.