[nylug-talk] sudo vs 'ssh as root'

Michael Hrivnak mhrivnak at triad.rr.com
Mon Jul 9 13:46:16 EDT 2007 

Sorry for the self-reply, but I have one more point.

Sudo allows you to optionally specify a limited set of commands that a given 
user can run as root.  Maybe you have an intern upgrading a bunch of systems 
from Sarge to Etch.  The upgrades are straight-forward, but someone needs to 
watch them and possibly answer prompts.  With sudo, you can allow him or her 
to run only "aptitude" and "reboot" as root.  That gives the intern all the 
privileges necessary to get the job done, while limiting his or her ability 
to poke around other places and potentially break something.

Michael

On Monday 09 July 2007 1:09:20 pm Michael Hrivnak wrote:
> Do you really need the entire session to run as root?  Does bash need to
> run as root?  What about simple commands like ls, cat, view, etc.  You will
> likely find that when you log into one of those machines, there are very
> few commands that you need to execute as root.  A key part of security is
> to only give an entity (be it a process or a user) as much freedom as
> it/he/she actually needs.  If you are looking through logs and digging
> through config files to investigate a problem, you probably don't need to
> do any of that as root.  When you find the problem, you can "sudo vim
> /etc/config"
> and "sudo /etc/init.d/someprocess reload".
>
> Not only does sudo help reduce the number of processes running as root.  It
> also keeps a nice log of who did what.  If someone makes a config change
> that ends up breaking something, you can see in the log exactly who did it
> and exactly what command they executed.  This is good not just for blaming
> people, but also for simply asking questions or having a discussion.  Maybe
> you just need to know why something was done a certain way.  If sudo was
> used, you'll know who to ask.
>
> Also, if you are authenticating with one root password or RSA key, it can
> be a nightmare if it gets out.  If someone gets a hold of it who shouldn't
> have it, you need to change it and then notify everyone.  In the mean time,
> no work gets done.  With the sudo scheme, each user is responsible for his
> or her own authentication.  If someone gets a hold of my password, you can
> simply disable my account or reset my password while everyone else keeps
> working as usual.
>
> Finally, a relatively minor point.  If you're logged in as root to a
> machine and have to suddenly run off to a management meeting, your
> co-worker's teenager can just sit down and have his way with the system. 
> With sudo, there is only a 15 minute window in which you can execute
> commands with root privileges, after which you must re-enter your password.
>
> By limiting the number of processes running as root, tracking user
> responsibility for root commands, and limiting the scope of security
> breaches, sudo is a best practice.
>
> One more minor point: for those who like their own .vimrc, a custom
> .bashrc, or similar, that is not possible with everyone logging in as root.
>
> Best of luck persuading the boss,
> Michael
>
> On Monday 09 July 2007 12:06:09 pm David Rosenstrauch wrote:
> > Michael Bubb wrote:
> > > Hello
> > >
> > >
> > > I remember a few years back reading an interesting security discussion
> > > on sudo vs sshing as root into servers.
> > >
> > > My company's current policy is to ssh in as root. I don't believe that
> > > is the best way (ie most secure way) but I do not remember the
> > > details. I seem to remember that sshing in as a regular user and then
> > > elevating privileges. It is also easier to track mistakes this way.
> > >
> > > This is, I realize, a fairly basic security question (which I am
> > > cross-posting to SAGE). I have heard people who angrily declaim
> > > sudo... but I have never gone through the process of figuring this out
> > > for myself.
> > >
> > > Any ideas? Good stuff to read on this?
> > >
> > > Many thanks as always
> > >
> > > Michael Bubb
> >
> > I don't have any specific pointers on this (though I imagine it's not
> > hard to dig some up), but it's kind of common sense, actually:
> >
> > Do you really want it to be possible for someone to log in as root onto
> > a box sitting out on the Net?  Crackers are constantly trying to use
> > brute force attacks to crack boxes, and by allowing that you're just
> > inviting trouble.
> >
> > As you surmised, disabling remote root access, and then requiring
> > sudo/su to elevate privileges is a much safer approach.
> >
> > If you really needed to allow direct logins as root (and again I don't
> > recommend it) then at least configure the root account so that you can
> > only log in using a crypto key, and not passwords.
> >
> > DR
> > _________________________________________________________________________
> >__ __ Hire expert Linux talent by posting jobs here ::
> > http://jobs.nylug.org The nylug-talk mailing list is at
> > nylug-talk at nylug.org
> > The list archive is at http://nylug.org/pipermail/nylug-talk
> > To subscribe or unsubscribe: http://nylug.org/mailman/listinfo/nylug-talk
>
> ___________________________________________________________________________
>__ Hire expert Linux talent by posting jobs here :: http://jobs.nylug.org
> The nylug-talk mailing list is at nylug-talk at nylug.org
> The list archive is at http://nylug.org/pipermail/nylug-talk
> To subscribe or unsubscribe: http://nylug.org/mailman/listinfo/nylug-talk

More information about the nylug-talk mailing list