On Fri, 2007-02-02 at 19:38 -0800, Michael A. Peters wrote: > On Fri, 2007-02-02 at 17:35 -0800, Evan Klitzke wrote: > > On Fri, 2007-02-02 at 14:21 -0800, Michael A. Peters wrote: > > > Some of the other distros that seem easier only seem so because they > > > compromise security to achieve it - such as very insecure sudo defaults > > > that essentially make any admin group user password a root password. > > > > > > IE someone gets your user account password, they can do more than just > > > mess up your user files, they can become root with sudo and alter > > > binaries so that you don't know they are there, continuously collecting > > > information about you. > > > > The security of Fedora has nothing to do with not having sudo accounts > > by default. If your password is compromised and you are in the wheel > > group, there are any number of mechanisms that someone could use to try > > to get you to reveal the root password. > > None of them are sure thing - with bad sudo defaults they do not have to > exploit something which often results in triggering something, and they > have root instantly giving them the ability to alter binaries and put > other back doors into the system. > > While having a local account compromised means that they only have to > find a local exploit to root the box, having a local account compromised > that has sudo privileges means they own the box already. I strongly disagree with you on this. In real life, if you are an admin and someone gets access your shell account, you're screwed. I am _not_ talking about exploits here. For example, if I somehow got hold of your password and could get a shell on your system, I could just put my own "su" on your computer and change your path. Or change your shell to log your keystrokes. Or use the keys in your ssh-agent. Or do any number of nasty things. None of them are guaranteed to work, but if you don't know your account has been compromised the odds are very good for the attacker. Furthermore, it is definitely not reasonable to assume that because someone can get a shell with your account they have your password. For example, say you attach to an ssh-agent on some other machine. The root user of that machine can attach to the ssh-socket and authenticate with your keys, and get a shell on your machine. Does this mean they have your password? Of course not. What if some vulnerability comes out that lets them trick PAM? They still don't have your password. Here's an even better case: what if you download some malicious software? That software can spawn a shell and execute shellcode, but it doesn't have your password. If someone can get into your account _and_ has your password, you've been seriously compromised and if you are really concerned about the security of your system you should just reinstall. > > > > Fedora is more secure than a lot of other distributions because it > > enables SELinux by default; it has nothing to do with the use or nonuse > > of sudo accounts (which, incidentally, have a finer grained > > authentication mechanism than the su command). > > sudo can be configured to be more fine grained that the su command. > The default that Apple, Ubuntu, and others have are not fine grained at > all - anyone in the right group can execute any command they want root. The default user on Ubuntu can sudo. Other newly created users can't. Same with Fedora. The first user enters the root password. Other users don't know it. The only difference is that to let another user access root you would either need to set up sudo, or give them the root password anyway. There isn't a huge difference. > Do you think users who don't already know how to lock down sudo are > going to do so? Users who already know how to lock down sudo do not need > insecure defaults, so the default configuration that OS X and ubuntu use > are not for them, those defaults are for the vast majority of people who > will never ever change them. No, most people will not change how sudo operates. But that's ok, because it isn't a security issue. If I looked in /var/log/auth and realized that someone was logging onto my regular user account remotely, I wouldn't say "Good thing I have a root password!" I'd realize that an administrator account had been compromised, and I'd treat it the same way I would if I was using Ubuntu or OS X and reinstall. The point of installing sudo by default isn't to make the system more secure, it's to make it more convenient. If you really feel that the minimal amount of extra protection you get from having a root password in addition to your regular user password makes a big difference, your computer wasn't secure enough to start out with. -- Evan Klitzke
