Bug#293830: sudo is undesirable

Joshua Rodman Joshua Rodman <jrodman@ducker.org>, 293830@bugs.debian.org
Sat, 26 Feb 2005 22:21:52 -0800 

On Sat, Feb 26, 2005 at 06:37:59PM +0100, Lo?c Minier wrote:
>         Hi,
> 
> On Sat, Feb 26, 2005, Joshua Rodman wrote:
> > 
> > Unfortunately, /etc/sudoers is a very poorly designed file with a
> > confusing and difficult syntax.  Additionally, in order to provide users
> > with reasonable flexibility with specific tools you wish to allow them
> > to use, you often open the door to complete root access via clever
> > character susbstitutions.
> 
>  Well, that's poor configuration from the administrator.  (Please note
>  you're not supposed to edit /etc/sudoers directly, but you should call
>  "visudo" instead).

That it is possible to configure sudo correctly does not that it is
difficult to read.

	user   ALL = (ALL) ALL

This defies esy comprehension.

Sudo has a sophisticated system for handling permissions.  Simplicity
is the normally recognized path to security.  Complexity is the enemy of
security.

>    I _personnally_ find the format of the file really good as it allows
>  to define separately the commands that sudo might run, 

That's fine.  A suggests or recommends is fine.

>  I completely disagree, but if you don't like the format of the file and
>  have suggestions for improvements, I presume you should file a bug on
>  sudo instead.

These are design problems with sudo, not bugs.  The solution to sudo for
those with my concerns is to uninstall it.  Filing bugs against sudo
would be a waste of everyone's time.


>  So if someone hijacks your account, he can run any command by spying
>  your password?  I think your argument doesn't take the whole goal of
>  sudo into account: the goal is to reduce the rights you offer to user
>  to the bare minimum.  For example, only allow a fixed list of users to
>  run a fixed list of commands, eventually with their user password
>  instead of the root password (or no password at all).

I fully understand the goals of sudo.  These goals are of no actual
advantage in my deployed environment where there is only one
administrator who performs all priveledged tasks.  Therefore it is
appropriate to not install sudo in my environment.

Were I to actually need the kind of functionality sudo provides, I would
deploy the tool su1, which does not have a history of security leaks via
misconfiguration in the manner sudo does.

>  However, sudo can be configured to ask for the root password and allow
>  running any command, please see the "rootpw" (or "runaspw" for commands
>  running as root), and see the default privilege specification:
>     root    ALL=(ALL) ALL

Great, so you can provide the functionality of 'su' with a lot of extra
baggage (read grist for attacks).

Since gksu has no intrinsic need for sudo, it should be possible to use
gksu without sudo installed, and therefore gksu should not depend on
sudo.

-josh