[887] in athena10
Re: [athena10] sudo
daemon@ATHENA.MIT.EDU (Quentin Smith)
Thu Jan 22 12:09:20 2009
Date: Thu, 22 Jan 2009 12:08:15 -0500 (EST)
From: Quentin Smith <quentin@MIT.EDU>
To: Mitchell E Berger <mitchb@mit.edu>
cc: Greg Hudson <ghudson@mit.edu>, Evan Broder <broder@mit.edu>,
athena10@mit.edu
In-Reply-To: <200901221659.n0MGxSEk009565@byte-me.mit.edu>
Message-ID: <Pine.LNX.4.64L.0901221207100.25977@vinegar-pot.mit.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Thu, 22 Jan 2009, Mitchell E Berger wrote:
>> 2. Passwordless sudo means you can get root (within a login chroot) if
>> you take over the console session of another user, e.g. if someone
>> leaves their session un-screensaved. It's not clear whether root access
>> within a login chroot is more valuable to an attacker than a user's
>> tickets and tokens are.
>
> How is that different from the current state of affairs in Athena 9
> where you can walk up to such a session and run 'su' with the well-known
> root password (which will also be an available option in Athena 10)?
>
> I don't think the passwordless sudo really adds any security concerns.
> I worry a little about people using root access more than they mean
> to (lots of web directions tell you to 'sudo make install' this or
> that). But since it's a snapshot session anyhow, they're not going
> to mess up more than their current login session, so that probably
> doesn't matter either.
I think there's a valid security concern with passwordless sudo that it
removes a barrier before getting root. A user could easily type their/a
password, but an exploited web page wouldn't have the same level of
access. Of course, I don't know of any web exploits that try to execute
"sudo", as of know.
--Quentin
>
> Mitch
>
>