Hacker Read top | best | new | newcomments | leaders | about | bookmarklet login

I think these problems are basically negligible because the amount of people trying to "configure sudo to be safe to use for unprivileged users, by only allowing specific things to run with it" is negligible. Virtually all users of sudo are using it on their own computer which they are the sole user and ultimately the administrator of. Even in corporate contexts where the company owns the machine instead of the user, I've only ever seen cases where the use of sudo is unrestricted albeit logged. Where are these organizations where developers or syaadmins are allowed to use sudo but only with white listed commands? I don't doubt that some people are doing this, I just think it's not common.

Replacing the whole of sudo with some weird new thing to better support a niche usecase seems disconnected from reality to me.



sort by: page size:

I've only ever seen people use sudo to prevent accidents (by running most commands unprivileged), not malicious use.

These guys are selling FreeBSD consultancy, so I don't know how this article can be unbiased.

> On Linux systems, it is very common to use sudo for operations that require root permissions

Not common unless authors used Ubuntu desktop, which pushed sudo usage to the extremes. I don't even have it installed. However, frequent sudo usage usually indicates something is wrong with how you use the system, maybe account permissions or lack of knowledge of how to use it properly.


I think what is perhaps something to consider is how much of an attack surface sudo is and how unaware people are of the fact. Many people think they can configure sudo to be safe to use for unprivileged users, by only allowing specific things to run with it. But they don't realize all the ways it can be abused for privilege escalation. Getting rid of all that configuration removes that false sense of security, which is a good thing, it has been a huge footgun in Linux for decades. Some incompatibility is price well worth paying for that imho

I don't use sudo to improve my security; I use sudo because it's what I've become familiar with.

I don't want to come across as pedantic - the point I mean to make is that I think a lot of people use sudo without thinking about it much. Sudo's just "the way to use linux" for a lot of people I know.

I don't think the sudo contributors should be labelled as irresponsible, because everything they've added to the project is available for the public to see and scrutinise. I don't think they've ever mislead people; rather that people have assumed things.

Maybe people who care about security will notice now that sudo doesn't have comprehensive testing, and will make their own alternative.


Honestly, I don't have any issues with "sudo" it is an excellent tool for the job - it temporarily executes a command as a different user. But Ubuntu moved that to the next level, and in documentation, you'd frequently find shell samples with multiple successive sudo calls, executed as a root user. That should be replaced with a single "su".

On the other hand, I have seen excessive sudo usage only in Ubuntu and some Debian/Arch docs. Maybe, this is the reasoning behind their comment that sudo is frequently used.

<joke> Also, you can easily spot Ubuntu users: they'll type almost any command with sudo :D </joke>


No doubt 80% of the users only use 20% of the features... but do they use the same 20%? :)

I think sudo is often the wrong tool for what people are using it for today-- it's a tool to delegate on a multi-user system. But today people are most often applying it on a single(-ish) user system to raise or lower their permissions.

Ironically, most of the vulnerabilities that sudo has had aren't really of consequence in that modern single user usage: If the attacker can run code as the user, then they'll be able to take over any privilege raising process the user uses even if the 'sudo' tool were flawless.

Once you leave that use case the greater feature set of sudo (including, perhaps some of those crusty features you mention) has more applicability.

The thing to always keep in mind is that the programs cruft is substantially the body of its embedded knowledge. Some of that knowledge might be mistaken or outdated. If you really knew what parts were what-- you could just remove them.

If the rewrite isn't sure it can remove it and just replicates, it may not have understood the function's purpose enough to replicate it faithfully and could even introduce security problems (or cause users to introduce them by forcing them to bodge around configuration statements that no longer work).


Sudo feels like a broken concept to me because it's there to protect the machine and other users.

But these days many computers are only used by one user.

Everything I care about on my computer is readable by my user and a program running as my user could put fake binaries in my path.


I'm curious, is this one implementation of sudo really used everywhere?

I was under the impression that different Linux userspaces sometimes implement these common commands differently. Like "ls" sometimes actually being aliased to a bash script, or maybe BSD having one implementation and Ubuntu another. Is that not the case? Is "sudo" not maintained by an entity like gnu, bsd, etc?

edit - in other words, I always assumed "sudo" was a highly-dependent system-level tool, not just some useful helper binary that is maintained by one independent person.


Surely that's just your view on it? I've been using Linux since I was a kid and it's definitely not how I or the people I know use sudo. Lol

Sudo is a security boundary, it has to be rock solid and an issue that doesn’t immediately look exploitable is still a big deal. Sudo runs under the control of the attacker, it’s playing with fire!

Agreed. I only use sudo for running particular commands pre-configured on the sudoers file, not for ALL.

Does anybody actually have sudo access on a system that they don't also have 100% control over?

I feel like linux as a true multi-user system, especially to the level of having sudo access, is such a minority use case that I would never actually trust it in production.


The problem is that sudo is an attempt to hack around the piss-poor Unix security model. Doing the same in a different language will hit the same fundamental problems.

I like sudo.

From the article linked to this one, I get the distinct feeling that the author is talking about a few edge cases in the use of sudo.

I don't think 99% will care.


To be fair, it's the permission model that's not kept up with use cases. On a multiuser system sudo makes a lot of sense.

This is one of the reasons sudo should (by default) only allow a whitelist of built-in commands to be run with wildcards.

Somewhat like sudoedit.

This is of course for the corporate case of a less privileged user performing a certain task at elevated privileges. Not for the more common use of sudo (these days) of people managing their own personal machines.


sudo (at least everywhere I've used it) - is typically used to (A) allow me to run code as root without having to type my password, and (B) give select groups of people the rights to run a few specific commands. In terms of number-of-time executed, in a recent environment that I was in, in which approximately 100 or so people had sudo rights, 90+% of the time it was to allow people in various group to run commands like "tcpdump" or "netstat", without giving them full root rights to the system.

In my experience not many people are aware of the permission model of sudo and I expect a lot of users are merely granted root access. At the same time those deployments which do use sudo's permission model are likely high cost.

the main reason you don't give users sudo is so they don't do anything stupid, not so much to prevent them from acting maliciously.
next

Legal | privacy