Subject: Re: [lists@globalintersec.com: [Global InterSec 2002041701] Sudo Password Prompt Vulnerability.]
To: None <tech-security@netbsd.org>
From: Jan Schaumann <jschauma@netbsd.org>
List: tech-security
Date: 04/25/2002 21:21:57
ipthomas@mac.com wrote:

> 	I'm curious as to why so many publications these days tell users to 
> use sudo rather then su.

A few weeks ago, there was a somewhat lengthy but informative thread on
sage-members regarding su/sudo practices.  I've not yet determined how
to access the ML's archive (if it exists), otherwise I could probably
give you better examples.

Anyway, I think the main reason sudo is popular is that it prevents
people from running around as root.  Sure, many of you guys may be
responsible and always check all your commands you type (or never
mistype), but sudo to me mainly helps you not do stupid mistakes (that
do invariably happen).

Example:  Printer-debugging:

$ pwd
/etc
$ su
# vi printcap
# lpr /tmp/foo.ps
# vi /usr/pkg/libexec/magicfilter/some-printer
# lpr /tmp/foo.ps
# lpr /tmp/foo.pdf
# lpr /tmp/foo.txt
[I want "rm /tmp/foo*" but accidently mistype:]
# rm /tmp/foo *
[ /tmp/foo* is gone, but so is /etc/* ]
# exit
$

Oooops!

Now:
$ pwd
/etc
$ sudo vi printcap
$ lpr /tmp/foo.ps
$ sudo vi /usr/pkg/libexec/magicfilter/some-printer
$ lpr /tmp/foo.ps
$ lpr /tmp/foo.pdf
$ lpr /tmp/foo.txt
[I want "rm /tmp/foo*" but accidently mistype:]
$ rm /tmp/foo *
[/tmp/foo* is removed, /etc/* gives "permission denied"]
$


Now I'm fully aware that if I'm allowed to execute vi via sudo, I
essentially have full root-access, as I can call a shell from within the
editor -- the point in this example is not to increase security by not
giving our root, but by reducing the likelihood of errors caused by
typos.


Another situation I've found sudo rather helpful is when you have users
that you want to be able to execute a few select commands that require
root-privileges, but don't want to create/change groups and
group-permissions or setuid and setgid programs, but at the same time
you wouldn't trust that user with full root access.

A few of my faculty have dual-boot machines, and they want to be able to
reboot.  Telling them to just sync(8) and hit the power button is one
solution, granting them permission to use "sudo reboot" (or equivalents)
is another.  Or, I have assistants helping with a bunch of pesky little
tasks in a laboratory.  Occasionally, a machine hangs X, but is
otherwise reachable.  Granting the few (trusted) lab-assistants
permission to kill(1) the X allows me not to be disturbed by these
instances, the machine is not rebooted without being shutdown properly
and all's peachy.

Some people argue that with sudo you have a better audit-trail of what's
going on, as all the commands are syslog'd, but I think that would ony
apply in an environment where several people manage a large number of
machines and use sudo exclusively.

I do understand Thor's (and others) concerns regarding sudo luring the
admin into a false sense of "increased" security, but, like almost all
other commands, it does have its uses.

-Jan