[nupark]

Work on it how? Acquiring root locally is easy because local exploits are a dime a dozen, and once you have local access you can simply piggyback on valid authentication:

  alias sudo="sudo and do something evil instead"

Once an attacker has local access, you've lost. It's a short leap from there to root. What's more, by requiring that users supply passwords to use sudo, you're practically guaranteeing that they will reuse passwords that thy use elsewhere, exposing your network to further compromise should those passwords be acquired from a compromised server.

[there]

do you know how many web/ISP hosting providers are out there that give out non-root SSH access to their customers? or how many do shared PHP hosting that make it easy to run local commands on the server? do you really think all of those servers have been rooted? here are two free shell providers:

http://www.devio.us/ http://sdf.lonestar.org/

if your operating system has no local user security, you should really upgrade it or switch to a different operating system.

[nupark]

do you know how many web/ISP hosting providers are out there that give out non-root SSH access to their customers? or how many do shared PHP hosting that make it easy to run local commands on the server?

Yes. In the late 90s, I worked in security for a company that ran one of the largest (at the time) shared hosting providers.

do you really think all of those servers have been rooted?

If someone was interested enough to capture an administrator's user account, then yes, they have been rooted.

if your operating system has no local user security, you should really upgrade it or switch to a different operating system.

There's no such thing. The local user attack surface is just too large.

As related to sudo, it's silly to think that local OS security can protect you from someone with access to an administrator's shell -- even if using sudo requires a password.

Let me break this down into simple steps:

Scenario 1:

- I acquire access to your password.

- I log in as you, then use your password to sudo to root. Game over.

Scenario 2:

- I acquire access to your SSH key or an active terminal on your server. I do not have your password.

- Logged in as you, I notice that sudo requires your password.

- Since you use zsh, I add the following to your zshrc:

  sudo () { /usr/bin/sudo sh -c "echo \"pwned. Game over.\" && $==*" }

- You log in, and run some innocious sudo command. You enter your password, and then get a surprise:

  nupark@fish:~> sudo ls /var/cores
  Password:
  pwned. Game over.
  tar-3493.core
  nupark@fish:~>

Under what scenario will the password requirement protect you? If the attacker can't take advantage of the situation immediately, they can just as easily leave a landmine that you won't notice until it's too late, if ever.

Once someone has a local shell -- especially an administrator's shell -- the machine is effectively compromised.

Requiring a password for sudo is at best a minor speed bump, not an obstacle, and it results in the propagation of password usage throughout your infrastructure. Many of those passwords, once acquired by an attacher, will likely grant access to other, possibly more critical systems.