Sudo and changes in security expectations (and user behaviors)
Sudo has a well known, even famous default behavior; if you try to
use sudo
and you don't have sudo
privileges, it sends an email
alert off to the sysadmins (sometimes these are useful). In my view, this is the sign
of a fundamental assumption in sudo's security model, namely that
it's only going to be used by authorized people or by malicious
parties. If you're not a sysadmin or an operator or so on, you know
that you have no business running sudo
, so you don't. Given the
assumption that unauthorized people don't innocently run sudo
,
it made sense to send alert email about it by default.
Once upon a time that security model was perfectly sensible, back
in the days when Unix machines were big and uncommon and theoretically
always run by experienced professionals. Oh, sure, maybe the odd
sysadmin or operator would accidentally run sudo
on the wrong
machine, but you could expect that ordinary people would never touch
it. Today, however, those days are over. Unix machines are small
and pervasive, there are tons of people who have some involvement
in sysadmin things on one, and sudo has been extremely successful.
The natural result is that there are a lot of people out there who
are following canned howto instructions without really thinking
about them, and these instructions say to use sudo
to get things
done.
(Sometimes the use of sudo
is embedded into an installation script
or the like. The Let's Encrypt standard certbot-auto
script works
this way, for instance; it blithely uses sudo
to do all sorts of
things to your system without particularly warning you, asking for
permission, or the like.)
In other words, the security model that there's basically no innocent unauthorized use of sudo is now incorrect, at least on multi-user Unix systems. There are plenty of such innocent attempts, and in some environments (such as ours) they're the dominant ones. Should this cause sudo's defaults to change? That I don't know, but the pragmatic answer is that in the grand Unix tradition, leaving the defaults unchanged is easier.
(There remain Unix environments where there shouldn't be any such
unauthorized uses, of course. Arguably multi-user Unix environments
are less common now than such systems, where you very much do want to
get emailed if, eg, the web server UID suddenly tries to run sudo
.)
|
|