From owner-freebsd-security  Thu Mar 25 15:46:55 1999
Delivered-To: freebsd-security@freebsd.org
Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103])
	by hub.freebsd.org (Postfix) with ESMTP id D8185154FF
	for <freebsd-security@FreeBSD.ORG>; Thu, 25 Mar 1999 15:46:43 -0800 (PST)
	(envelope-from jwyatt@RWSystems.net)
Received: from kasie.rwsystems.net([209.197.192.103]) (2455 bytes) by host07.rwsystems.net
	via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp
	(sender: <jwyatt@RWSystems.net>) 
	id <m10QJSB-000bxeC@host07.rwsystems.net>
	for <freebsd-security@FreeBSD.ORG>; Thu, 25 Mar 1999 17:22:23 -0600 (CST)
	(Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24)
Date: Thu, 25 Mar 1999 17:22:22 -0600 (CST)
From: James Wyatt <jwyatt@RWSystems.net>
To: Matthew Dillon <dillon@apollo.backplane.com>
Cc: "Bruce A. Mah" <bmah@CA.Sandia.GOV>, freebsd-security@FreeBSD.ORG
Subject: Re: sudo (was Re: Kerberos vs SSH)
In-Reply-To: <199903252044.MAA02527@apollo.backplane.com>
Message-ID: <Pine.BSF.4.05.9903251642150.23152-100000@kasie.rwsystems.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Matthew Dillon wrote:
> :>     We used sudo for a little while 3 years ago, but I decided that it was
> :>     too big a security risk and wiped it.  sudo is one of the stupidest
> :>     programs I've ever seen.

Bruce replied:
> :I'd be curious to hear what you think sudo's shortcomings are, and why it 
> :merits being labeled as one of the stupidest programs you've ever seen?

Matthew replied:
>     Simple:  Because the program is designed to poke holes through root and
>     run specified programs.  It's fairly easy to misconfigure it, and there is
>     no guarentee that the programs it runs are themselves secure.  sudo opens 
>     up a whole can of potential security problems.

Not the answer I expected. How are these different from giving the user
the root password? The programs are run similarly - except that root's
path almost never has '.'? It is easy to forget that some programs like
'vi' can do shell work, allowing the user to use *any* program, not just
what they have been allowed to use.

With a group of admins, I can revoke *any* one of them while keeping them
around without 'sharing' new root passwords. It also logs which programs
which users run, /bin/su does not - root command history is global. I can
annoint a contractor or vendor's account for an emergency and de-annoint
later, while still allowing them to view operation.

The thing I don't like about it is that it makes programs like linsniffer
more effective. It looks at TCP startups of telnet, FTP, pop, etc... and
very nicely captures their password. Capturing root passwords from users
'su'-ing requires a *lot* more advanced sniffer or cracker intervention.
This easily captured password is sufficient for root access if the user is
allowed to do anything that might gain them shell. - Jy@



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message