The problem with sudo is that it's freaking annoying to have to issue it and type the password in very every command.
I would much prefer an alternate account that had augmented permissions and a time limit/auto log out function. Something where I could log into admin-john and install something taking many steps, and then log out (or have it auto log out if I forgot, after some period of time.)
If your sudo asks for your password on every invocation you have it poorly configured. The purpose of the timeout is to deny permission while absent the keyboard. Sudo is perfectly happy to allow whatever timeout you desire.
That said, fairly short timeouts do have security advantages unless one religiously locks the screen or has RFID presence detection w/ locking - or something like it.
Again, the intent of the timeout is to minimize exposure by absent keyboards. By having a root terminal you're maximizing that exposure. It's worse than even a largish timeout with sudo. Of course some sanity is required. Having an hour timeout with a 15 minute screen lock is silly.
The added advantage of sudo is that it's logging the execution of commands requiring elevated privileges. For those who are using sudo in a limited elevation this too provides increased logging for finger pointing.
All security is overhead. The most important question to ask and adjust is what level of overhead is appropriate for the gained measure of security. Which is why security is a process and not a product... yadda yadda...
But... most security issues originate from within.
Things like sudo with a timeout and ssh keys with passphrases both have advantages in most environments.
If you use sudo to open a shell, then I think you are using sudo wrong. sudo should be "sudo ", not access to a new shell.
In the example they gave in the article, they were giving sudo access only to one command and the group that could issue it was limited. I do not believe it opened a shell. For example I don't think they could: >sudo su
As that would be essentially becoming root which is a huge security hole.
>sudo admin_program
...when that user is on a whitelist for using that command is the more secure use of sudo and the one recommended.
Bottom line, don't give regular users root control over your system!
BTW, if, for example, having something like a 15 minute timeout is too small, then it's hard to justify a dedicated root login from a security perspective. Again... it's a process and no one value is good for every situation.
The problem with sudo is that it's freaking annoying to have to issue it and type the password in very every command.
ReplyDeleteI would much prefer an alternate account that had augmented permissions and a time limit/auto log out function. Something where I could log into admin-john and install something taking many steps, and then log out (or have it auto log out if I forgot, after some period of time.)
John Lewis well that's a problem for mere mortals.
ReplyDeleteI am root. ;')
Seriously though, the reality is that anyone that uses commands that require sudo often enough either shouldn't be running them, or should have root.
For myself, when I'm logged in as my normal user, I still keep a root shell open for launching any administrative commands.
As do I.... sigh.
ReplyDeleteWhat?!?
ReplyDeleteIf your sudo asks for your password on every invocation you have it poorly configured. The purpose of the timeout is to deny permission while absent the keyboard. Sudo is perfectly happy to allow whatever timeout you desire.
That said, fairly short timeouts do have security advantages unless one religiously locks the screen or has RFID presence detection w/ locking - or something like it.
lifehacker.com - Make Sudo Sessions Last Longer in Linux
Greg Copeland
ReplyDelete"...If your sudo asks for your password on every invocation you have it poorly configured...."
I would argue you have it configured correctly.
Like I said, anyone annoyed by sudo either should have it at all or you should have root.
Again, the intent of the timeout is to minimize exposure by absent keyboards. By having a root terminal you're maximizing that exposure. It's worse than even a largish timeout with sudo. Of course some sanity is required. Having an hour timeout with a 15 minute screen lock is silly.
ReplyDeleteThe added advantage of sudo is that it's logging the execution of commands requiring elevated privileges. For those who are using sudo in a limited elevation this too provides increased logging for finger pointing.
All security is overhead. The most important question to ask and adjust is what level of overhead is appropriate for the gained measure of security. Which is why security is a process and not a product... yadda yadda...
But... most security issues originate from within.
Things like sudo with a timeout and ssh keys with passphrases both have advantages in most environments.
If you use sudo to open a shell, then I think you are using sudo wrong. sudo should be "sudo ", not access to a new shell.
ReplyDeleteIn the example they gave in the article, they were giving sudo access only to one command and the group that could issue it was limited. I do not believe it opened a shell. For example I don't think they could:
>sudo su
As that would be essentially becoming root which is a huge security hole.
>sudo admin_program
...when that user is on a whitelist for using that command is the more secure use of sudo and the one recommended.
Bottom line, don't give regular users root control over your system!
BTW, if, for example, having something like a 15 minute timeout is too small, then it's hard to justify a dedicated root login from a security perspective. Again... it's a process and no one value is good for every situation.
ReplyDelete