Re: hi all..

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2007-02-02 at 19:38 -0800, Michael A. Peters wrote:
> On Fri, 2007-02-02 at 17:35 -0800, Evan Klitzke wrote:
> > On Fri, 2007-02-02 at 14:21 -0800, Michael A. Peters wrote:
> > > Some of the other distros that seem easier only seem so because they
> > > compromise security to achieve it - such as very insecure sudo defaults
> > > that essentially make any admin group user password a root password.
> > > 
> > > IE someone gets your user account password, they can do more than just
> > > mess up your user files, they can become root with sudo and alter
> > > binaries so that you don't know they are there, continuously collecting
> > > information about you.
> > 
> > The security of Fedora has nothing to do with not having sudo accounts
> > by default. If your password is compromised and you are in the wheel
> > group, there are any number of mechanisms that someone could use to try
> > to get you to reveal the root password.
> 
> None of them are sure thing - with bad sudo defaults they do not have to
> exploit something which often results in triggering something, and they
> have root instantly giving them the ability to alter binaries and put
> other back doors into the system.
> 
> While having a local account compromised means that they only have to
> find a local exploit to root the box, having a local account compromised
> that has sudo privileges means they own the box already.

I strongly disagree with you on this. In real life, if you are an admin
and someone gets access your shell account, you're screwed. I am _not_
talking about exploits here. For example, if I somehow got hold of your
password and could get a shell on your system, I could just put my own
"su" on your computer and change your path. Or change your shell to log
your keystrokes. Or use the keys in your ssh-agent. Or do any number of
nasty things. None of them are guaranteed to work, but if you don't know
your account has been compromised the odds are very good for the
attacker.

Furthermore, it is definitely not reasonable to assume that because
someone can get a shell with your account they have your password. For
example, say you attach to an ssh-agent on some other machine. The root
user of that machine can attach to the ssh-socket and authenticate with
your keys, and get a shell on your machine. Does this mean they have
your password? Of course not. What if some vulnerability comes out that
lets them trick PAM? They still don't have your password. Here's an even
better case: what if you download some malicious software? That software
can spawn a shell and execute shellcode, but it doesn't have your
password. If someone can get into your account _and_ has your password,
you've been seriously compromised and if you are really concerned about
the security of your system you should just reinstall.

> > 
> > Fedora is more secure than a lot of other distributions because it
> > enables SELinux by default; it has nothing to do with the use or nonuse
> > of sudo accounts (which, incidentally, have a finer grained
> > authentication mechanism than the su command).
> 
> sudo can be configured to be more fine grained that the su command.
> The default that Apple, Ubuntu, and others have are not fine grained at
> all - anyone in the right group can execute any command they want root.

The default user on Ubuntu can sudo. Other newly created users can't.
Same with Fedora. The first user enters the root password. Other users
don't know it. The only difference is that to let another user access
root you would either need to set up sudo, or give them the root
password anyway. There isn't a huge difference.

> Do you think users who don't already know how to lock down sudo are
> going to do so? Users who already know how to lock down sudo do not need
> insecure defaults, so the default configuration that OS X and ubuntu use
> are not for them, those defaults are for the vast majority of people who
> will never ever change them.

No, most people will not change how sudo operates. But that's ok,
because it isn't a security issue. If I looked in /var/log/auth and
realized that someone was logging onto my regular user account remotely,
I wouldn't say "Good thing I have a root password!" I'd realize that an
administrator account had been compromised, and I'd treat it the same
way I would if I was using Ubuntu or OS X and reinstall. The point of
installing sudo by default isn't to make the system more secure, it's to
make it more convenient. If you really feel that the minimal amount of
extra protection you get from having a root password in addition to your
regular user password makes a big difference, your computer wasn't
secure enough to start out with.

-- Evan Klitzke


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux