sudo in general, and not requiring password in particular (was Re: trouble adding my user to sudoers list)

techlists at phpcoderusa.com techlists at phpcoderusa.com
Wed Jul 3 05:57:55 MST 2024 

<scroll>

On 2024-07-02 19:05, George Toft via PLUG-discuss wrote:
> Okay, I now come begging for more information on why RH thinks sudo is 
> bad. But first a little background...
> 
> Where I work, the first thing we do is remove sudo and replace it with 
> a shell script that calls our centralized Privileged Access Management 
> (PAM) system (not naming vendor). The use of sudo requires and 
> exception and review and is not permanent. So I'm very versed on the 
> principles and implementation of PAM. Last year our Staff Architect 
> asked me to compare and contrast sudo against <unnamed product>. 
> Side-by-side, feature-by-feature, I did so, based on our POC's on Red 
> Hat Identity Manager (IdM), which uses sudo, and locally engineered 
> solutions.
> 
> I personally detest sudo because it's like chmod 777 * - makes 
> everything work so much better, and software vendors can just drop in 
> their own sudo rules in /etc/sudoers.d/ and make magic happen without 
> you ever knowing what happened. Several times we've had to convert some 
> vendor's sudo rules to our own system's rules, and I ask the vendor 
> "Why do you have this rule?" Their answer: "We don't know." OFFS :(
> 
> As far as sudo goes, it is included in the Center for Internet 
> Security's (CIS) Benchmarks, which is the embodiment of the information 
> security industry's best practices. I did some work for them for a 
> couple years, and every change (add/mod/delete) required consensus 
> approval from 80 organizations around the world, including thee letter 
> agencies in the US and abroad. Many/most auditors expect financial 
> institutions to follow this guide, or explain convincingly why not. So 
> every six months, we get to say: "We don't use sudo. Instead, we do 
> this." And then we get to do live demos of timed privileged access. 
> Haven't had a follow-on question in the last 8 years.
> 
---->>>

> (OT: I cringe at referring to CIS because of their collusion with the 
> Arizona Secretary of State and the Department of Homeland Security to 
> suppress people's First Amendment Right to Free Speech. Proof is in the 
> Elon Musk Twitter Dump. I do not have a copy of the email on my 
> computer. I generally don't tell people I did work for them - it's so 
> embarrassing. Effing Ratbastards.)

So tell us more, please.



> 
> So... back to the original question, as I was not able to find anything 
> saying Red Hat discourages sudo, nor was my favorite AI. Please toss me 
> a cookie...
> 
> Regards,
> 
> George Toft
> 
> On 6/26/2024 12:23 PM, Rusty Carruth via PLUG-discuss wrote:
>> Actually, I'd like to start a bit of a discussion on this.
>> 
>> 
>> First, I know that for some reason RedHat seems to think that sudo is 
>> bad/insecure.
>> 
>> I'd like to know the logic there, as I think the argument FOR using 
>> sudo is MUCH stronger than any argument I've heard (which, admittedly, 
>> is pretty close to zero) AGAINST it.   Here's my thinking:
>> 
>> Allowing users to become root via sudo gives you:
>> 
>>  - VERY fine control over what programs a user can use as root
>> 
>>  - The ability to remove admin privs (ability to run as root) from an 
>> individual WITHOUT having to change root password everywhere.
>> 
>> Now, remember, RH is supposedly 'corporate friendly'.  As a 
>> corporation, that 2nd feature is well worth the price of admission, 
>> PLUS I can only allow certain admins to run certain programs? Very 
>> nice.
>> 
>> So, for example, at my last place I allowed the 'tester' user to run 
>> fdisk as root, because they needed to partition the disk under test.  
>> In my case, and since the network that we ran on was totally isolated 
>> from the corporate network, I let fdisk be run without needing a 
>> password.  Oh, and if they messed up and fdisk'ed the boot partition, 
>> it was no big deal - I could recreate the machine from scratch (minus 
>> whatever data hadn't been copied off yet - which would only be their 
>> most recent run), in 10 minutes (which was about 2 minutes of my time, 
>> and 8 minutes of scripted 'dd' ;-)  However, if the test user wanted 
>> to become root using su, they had to enter the test user password.
>> 
>> So, back to the original question - setting sudo to not require a 
>> password.  We should have asked, what program do you want to run as 
>> root without requiring a password?  How secure is your system? What 
>> else do you use it for?  Who has access?  etc, etc, etc.
>> 
>> There's one other minor objection I have to the 'zero defense' 
>> statement below - the malicious thing you downloaded (and, I assume 
>> ran) has to be written to USE sudo in its attempt to break in, I 
>> believe, or it wouldn't matter HOW open your sudo was. (simply saying 
>> 'su - myscript' won't do it).
>> 
>> And, if you're truly paranoid about stuff you download, you should:
>> 
>> 1 - NEVER download something you don't have an excellent reason to 
>> believe is 'safe', and ALWAYS make sure you actually downloaded it 
>> from where you thought you did.
>> 
>> 2 - For the TRULY paranoid, have a machine you use to download and 
>> test software on, which you can totally disconnect from your network 
>> (not JUST the internet), and which has NO confidential info, and which 
>> you can erase and rebuild without caring.  Run the downloaded stuff 
>> there, for a long time, until you're pretty sure it won't bite you.
>> 
>> 3 - For the REALLY REALLY paranoid, don't download anything from 
>> anywhere, disconnect from the internet permanently, get high-tech 
>> locks for your doors, and wrap your house in a faraday cage!
>> 
>> And probably don't leave the house....
>> 
>> The point of number 3 is that there is always a risk, even with 
>> 'well-known' software, and as someone else said - they're watching you 
>> anyway.  The question is how 'safe' do you want to be? And how 
>> paranoid are you, really?
>> 
>> Wow, talk about rabbit hole! ;-)
>> 
>> 'Let the flames begin!' :-)
>> 
>> 
>> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:
>>>> wanted sudo not to require a password.
>>> Please reconsider this... This is VERY BAD security practice. There's 
>>> basically zero defense if you happen to download/run something 
>>> malicious.
>>> 
>>> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss wrote:
>>>>   then I remember that a PLUG member mentioned ChatGPT being good at 
>>>> troubleshooting so I figured I'd give it a go. I sprint about half 
>>>> an hour asking it the wrong question but after that it took 2 
>>>> minutes. I wanted sudo not to require a password. it is wonderful! 
>>>> now I don't have to bug you guys. so it looks like this is the end 
>>>> of the user group unless you want to talk about OT stuff.
>>>> 
>>>> -- :-)~MIKE~(-:
>>>> ---------------------------------------------------
>>>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>> 
>>> 
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>> ---------------------------------------------------
>> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> ---------------------------------------------------
> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss

More information about the PLUG-discuss mailing list