Debian User Forums

[ziggybopbopdoo]

on the OP's system it can silently compromise security.

but I am smart enough not to enter my password when malicious code asks for it?

I highlighted the word you missed.

Oh yea I missed it. So the MAJOR security issue is that in one case the code ran silently. In both cases the code was run but one of them was silent and the other wasn't. That is the big security issue? Not the compromise itself, not the idiocy of running untrusted code but only that one ran silently. Once again my respone is....REALLY?

If I am dumb enough to run malicious code then there is no reason to think I would not enter my password anyway. True it would not run silently but the end result would be the exact same.

Oh no, the code ran silently after I downloaded it, chown'd/chmod'd it, and executed it. Oh no I would definately be smart enough after that to not enter my password when asked. No silent code for me.

So either I am dumb enough to run malicious code and dumb enough to enter a password or I am not dumb enough to do either. You cant make a hypothetical user dumb as a box of rocks one minute yet sharp as a tack the next.

Not to mention, if you are going to run malicious code then I dont care about sudo access all I need is a keystroke logger!

[ziggybopbopdoo]

Not to mention, if you are going to run malicious code then I dont care about sudo access ...

enough fun stuff to do with user privys...

create a desktop file in the autostart folder to startup anything I want started

crank up your browser and direct it to a page where I could run some code against

check and see if you have ssh running and use that for all sorts of fun

I could just wget tons of kiddie porn onto your computer and notify the authorities and let them have fun with you.

not to mention plain old privilege escalation exploits if I did need higher privileges

But since it isn't run silently it isn't a security risk.

[Birdy]

Yall bark at the wrong tree.
The OP is in touch with a higher source: http://devotional.upperroom.org/ (from da signature).
No need to worry about earthly matters (An eternety with passwordless root rights, how cool does that sound?).

[ziggybopbopdoo]

I wish I could get the creeps about this, in the past it was possible for me to do so just for shits and giggles, but everytime I run scenarios nowadays I come up empty.

Either users are not reckless/ignorant regarding their system, in which case this is a non-issue as nobody would ever have a chance to abuse this setup or users are reckless in which case this is pretty minor as far as reckless behavior goes. I guess you could argue that, for reckless users, it adds to the recklessness. It would be like arguing that someone should not do something slightly reckless while they are already doing something catasrophic at the time. Either way it is the admin doing this and the risks should be glaringly obvious. It isn't something a user could do without realizing the exact ramifications. The point of the howto isn't cryptic or confusing. It doesn't need explaining to be understood. It isn't like expecting users to look at apt-listbugs to hopefully keep things in working order, it doesn't rely on understanding the difference in using release codenames in sources, ad nauseum.

Wanting to remove this howto would be like other forums banning dangerous commands and discussion of them.

[dilberts_left_nut]

Wanting to remove this howto would be like other forums banning dangerous commands and discussion of them.

+1

It is simply information (also available elsewhere) that some may find useful.
I question exactly *which* situations would call for it, but that may be just me...

You say you don't intentionally run malware, but would not a browser expolit script (which you may not intentionally run) also get root rights by simply invoking sudo?

[TobiSGD]

I am the only user so no need for restricting which commands I can use.

A common misconception. You are not, as long as your system is connected to the web and you are running a browser without add-ons like Noscript.

[saulgoode]

It is simply information (also available elsewhere) that some may find useful.

Agreed. And the information is not wrong and, in certain scenarios, not even misguided.

I question exactly *which* situations would call for it, but that may be just me...

I have in the past used a development account set up to permit passwordless sudo. I never browsed the web with this account, in fact the only thing I used it for was compiling software and building packages. This approach allowed me to retrieve and compile software as an unprivileged user, and easily use 'sudo' to change permissions and ownerships when building a package, as well as installing or upgrading the package (and in a situation where the act of entering your password has the potential of it being intercepted, limiting how often it is required can prove beneficial).

This still opened a vulnerability should the compile scripts attempt to perform sudo, however, if any upstream provider ever tried such a thing it would be unlikely to go unnoticed (to put it mildly).

To be sure, I no longer bother to do this as it just was not worth the effort to set up and I no longer have to worry about someone looking over my shoulder as I work.

You say you don't intentionally run malware, but would not a browser expolit script (which you may not intentionally run) also get root rights by simply invoking sudo?

This would be my greatest concern for the approach proposed by the OP. I wouldn't even feel comfortable with the sudo password being retained for any length of time (I understand Ubuntu keeps it around for fifteen minutes), as during that interval, an exploit might occur while browsing.

Personally, I would recommend against giving any regular user account full root privileges through sudo, even with a password. The only reason to give an account full root privileges through sudo is if the account is for administrative purposes and then the user should only use this sudo-enabled account as though it were root -- only logging into it to do administration, and logging into a separate, regular account for web-browsing and other ordinary activities.

[ziggybopbopdoo]

If a system can be exploited via the web then it can be exploited regardless of whether sudo is even installed or how it is configured.

To my knowledge all client side scripts are sandboxed by the browser to keep them from being able to execute any sort of system commands anyway. If someone could crack this then I don't really thinking escalating privys would be a problem for them with or without sudo.

Even if malicious code was deliverd via a browser and could somehow run system commands then considering the default timeout behavior of sudo it could simply try over and over until you actually use sudo for something and then it will run without requiring a password the same as if you had sudo setup without a password.

So once again, I just cannot make myself get very upset over a sudo setup that doesn't request a password.

All that being said, I don't think most single user systems need sudo at all. In fact I do not recommend sudo unless it cannot be avoided. Heck, a user having access to ALL the commands actually creeps me out more than not requesting a password to use those commands.

Of course I could be totally wrong and I welcome someone to prove that I am. I welcome a practical example that I can upload to my web server and try out for myself.


ps - running client side scripts does not magically make my single user system into a multi user system TobiSGD Talk about a misconception.

[saulgoode]

To my knowledge all client side scripts are sandboxed by the browser to keep them from being able to execute any sort of system commands anyway. If someone could crack this then I don't really thinking escalating privys would be a problem for them with or without sudo.

Year after year, ways of bypassing browser sandboxing have been demonstrated. Escalation of privileges is a separate problem and much easier to defend against, and the core system is already designed to address this (with forty years of history behind it), assuming that you use the system in a manner that doesn't intentionally bypass the protections available.

Even if malicious code was deliverd via a browser and could somehow run system commands then considering the default timeout behavior of sudo it could simply try over and over until you actually use sudo for something and then it will run without requiring a password the same as if you had sudo setup without a password.

Which is why a security conscious user should consider configuring sudo so as to not retain password for any time whatsoever (i.e., use a timestamp_timeout of "0"). Better still, don't browse the web from a sudo-privileged account.

[ziggybopbopdoo]

Year after year, ways of bypassing browser sandboxing have been demonstrated.

I am not really sure how applicable that is in this context. I guess it might be depending on which contest/day you are speaking of. If you wish to elaborate we could dig in further and see if we can find out the details. But considering that the laptop running Ubuntu was not exploited, while circumstantial, that seems to say something siginificant I think.

I also am not sure that the targets in that contest are representative of a user sitting at home behind a ISP device, a personal router, and a software firewall (if installed).

I think my conclusion remains the same or near about. If a user isn't security conscious then passwordless sudo is the least of their problems.

[ComputerBob]

But if that person does something that is incorrect, unwise, foolish or stupid, that person should not give others instructions to do the same. Posts like the OP are an argument for guides to need a moderator's permission before being added to the how-to section.

I like that idea.

[ziggybopbopdoo]

I like that idea.

I do too. All that needs to be done now is to prove it is incorrect, unwise, foolish, or stupid.

[TobiSGD]

All that being said, I don't think most single user systems need sudo at all. In fact I do not recommend sudo unless it cannot be avoided. Heck, a user having access to ALL the commands actually creeps me out more than not requesting a password to use those commands.

It depends. If you use sudo for its main purpose, giving certain users well defined access rights to certain programs, there is nothing wrong with using sudo, even on a single user system. For example, you might use the root account for system administration, but may have set up sudo to allow the normal user to loop-mount ISO images.

ps - running client side scripts does not magically make my single user system into a multi user system TobiSGD Talk about a misconception.

If a third party is able to run code on your system without your consent, how would you call that? I would say that you are not the only user of that system in that case.

[Hallvor]

But if that person does something that is incorrect, unwise, foolish or stupid, that person should not give others instructions to do the same. Posts like the OP are an argument for guides to need a moderator's permission before being added to the how-to section.

I like that idea.

People should always have the freedom to do even stupid things on their own systems. I don't believe in babysitting/cencoring someone into becoming responsible. If you give new users freedom and knowledge, responsibility will grow.

As long as bad advice gets shot down within reasonable time and within the same thread, I don' t see any problem.

[confuseling]

If this thread proves anything, it's that there isn't universal agreement about best practices and acceptable levels of security. Better to have the discussion in the open, I reckon.

...
I think my conclusion remains the same or near about. If a user isn't security conscious then passwordless sudo is the least of their problems.

Also, if the user isn't savvy enough to read the whole thread before implementing a how-to (or for long ones, at least enough to get a sense of any controversy), they're lost before they started.