Linux News
The world is talking about GNU/Linux and Free/Open Source Software

It's Worse Than Sudo For Dummies

Story: Microsoft Patents Sudo?!!

Total Replies: 11

Author	Content
moopst Nov 12, 2009 1:19 AM EDT	It's sudo BY DUMMIES! Quoting:The invention claimed is: ... information indicating the task and an entity that attempted the task; a selectable help graphic wherein responsive to receiving selection of the selectable help graphic, the computer-readable instructions further cause the computing device to present the information; identifiers, each of the identifiers identifying other accounts having a right to permit the task, Identifying other accounts having a right to permit a task? OMG, that's letting a potential attacker find out which accounts to compromise. In reading the info page on sudo I see that you can type sudo -l to find out what your privileges are but not what some other user may do. Pamela said: Quoting:Etc. blah, blah. Dude. It's sudo. With a gui. Sudo for Dummies. That's what it is. But it is more than sudo with a gui, it's sudo with a security deficiency. They granted a patent for an invention that is inherently stupid and that no thinking programmer would include. It's an invitation for social engineering attacks. Get any account and you can find out who to target for what privilege you may want. To quote one of my favorite movies (Plan 9 From Outer Space): Stupid stupid stupid stupid [smack]!
azerthoth Nov 12, 2009 1:39 AM EDT	moopst you can determine the same thing in linux with one simple command: cat /etc/group \| grep wheel. This will give you a list of people auth'd to sudo. /etc/sudoers file is locked (no user permission to read) on my system my default, /etc/group on the other hand is readable by anyone.
gus3 Nov 12, 2009 1:57 AM EDT	@az: Are you sure you aren't confusing "sudo" with "su"?
moopst Nov 12, 2009 6:26 PM EDT	It's used to limit the number of users who can su to root. http://administratosphere.wordpress.com/2007/07/19/the-wheel... Quoting:Perhaps one reason that the wheel group is not widely used may have something to do with the GNU project. The GNU implementation of su has this in its info page: Why GNU `su' does not support the `wheel' group =============================================== (This section is by Richard Stallman.) Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn't know how to do that in Unix.) All right RMS, fight the power! That said, you're right, wheel could be a security risk too. I wouldn't use it on an Internet facing machine.
azerthoth Nov 12, 2009 7:18 PM EDT	Positive Gus, to use sudo you must be a member of wheel. 'cat /etc/sudoers' and this becomes very obvious.
hkwint Nov 12, 2009 7:50 PM EDT	Quoting:Positive Gus, to use sudo you must be a member of wheel. And even then it's only limited to certain Lin Distro's and BSD, because AFAIK on certain distro's there just is no 'wheel' group, or it might not have the right to sudo. Quoting:OMG, that's letting a potential attacker find out which accounts to compromise. How is this different from UNIX? Because an UNIX-attacker doesn't even need to find out anything, because he just knows the 'root' account is the one to compromise. I think this only matters in many-user setups, not for the average home-user Microsoft is targeting. At least I sure hope MS isn't targeting this sudo-GUI at sysadmins.
techiem2 Nov 12, 2009 7:56 PM EDT	Quoting:At least I sure hope MS isn't targeting this sudo-GUI at sysadmins. This IS MS we're talking about here. But yeah...if it actually shows the list of users with the rights to do X like it sounds like from the description... "Hmm..I can't run this program, but I really want to . Let's see...OH! Bob from accounting has access to it! I'll just ask for his password......" And the sysadmins cry (and then change everyone's passwords and give them ANOTHER lecture on why to never ever ever give it out to anyone).
gus3 Nov 12, 2009 8:02 PM EDT	Quoting:and then change everyone's passwords and give them ANOTHER lecture on why to never ever ever give it out to anyone That is, lecture everyone but Bob. He's no longer working there.
moopst Nov 13, 2009 2:04 AM EDT	bash-3.1$ cat /etc/sudoers cat: /etc/sudoers: Permission denied /etc/sudoers is readable only by root. If you have that you have the machine.
azerthoth Nov 13, 2009 12:20 PM EDT	moopst read my first post in the thread not the last.
hkwint Nov 13, 2009 10:04 PM EDT	Azertoth: Again, you're not speaking for Linux in general AFAIK. I'm using Gentoo, my normal user is not in wheel, and is able to use sudo. I noticed several Linux distro's don't have a wheel group at all. Also, it depends on the /etc/sudoers file, maybe group 'wheel' doesn't have permissions.
caitlyn Nov 13, 2009 10:38 PM EDT	"wheel" is not enabled by default in most Linux distros. Giving wheel or any other group, or for that matter any single user regardless of group, sudo privileges is a configuration issue handled in /etc/sudoers. Sudo is extremely flexible and configurable. Many places I've worked only hand out sudo privileges on a user-by-user basis and not by group at all.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!