[charcircuit]

Being a setuid binary means that sudo also suffers from attacks where an attacker runs `sudo ./malware` and then convinces the user to authenticate. Depending on how sudo authenticates phishing attacks or password reuse from another breach can be used to escalate privileges.

[im3w1l]

I don't think you can realistically enforce a security boundary between root, and a user account that occasionally elevates.

You can enforce a boundary between root and an account that never elevates though. And as far as I understand hardening sudo helps with that.

[IshKebab]

Why not? The way Windows does it should work in theory I think?

Maybe you can't realistically do it on Linux, because Linux doesn't care about desktop security and doesn't have the kind of privileged GUI that you need.

[im3w1l]

Windows is a bit different I suppose. Many pieces come together to make it kinda work there.

* Privileged gui to display and approve what will run as you mentioned. In Linux, non-privileged gui is used to request permission to do... something.

* Executable verification. Let's say someone with user level permissions swaps out the program you wanted to run for a malicious one. The replacement would not pass certificate checks which would be revealed in the privileged gui. Maybe you could supply an old version with known vulnerabilities though idk?

* Kinda commandline parameters verification. In Linux-land you can pass parameters to the program those could be intercepted with user-level permissions. In Windows this would be displayed in the privileged gui. However! The parameters are only visible if you click "show more" which I would guess <1% of people actually do.

As an example of the last point I tested making a shortcut to cmd.exe and used Run As Administrator. Then I changed the shortcut to C:\Windows\System32\cmd.exe /c calc and again did Run As Administrator. Opens calculator instead of command prompt with identical approval gui (except with show more).

[reissbaker]

The way Windows does it is users are prompted to elevate permissions, and can be tricked into clicking "Yes," just like users can be tricked into using sudo.

[IshKebab]

Well yeah you can't enforce any security boundary if your threat model includes "user might be tricked".

It can't be enforced on Linux because `sudo` can be trivially MitM'd, but you can't do that on Windows because it's just a click.

[reissbaker]

But the entire threat model we were discussing was that the user might be tricked:

Being a setuid binary means that sudo also suffers from attacks where an attacker runs `sudo ./malware` and then convinces the user to authenticate

That's why the OP said that's not an enforceable security boundary. If the user is capable of attaining superuser privs, you can trick them, regardless of how attaining those privs is implemented.

[IshKebab]

Yeah I wasn't agreeing with that either.

I didn't interpret OP's comment like that. I think he was saying you can't enforce the boundary at all even if users don't get tricked.

That's true on Linux because the sudo UI can trivially be MitM'd by malware. You can't do that on Windows so trivially.

[charcircuit]

>I don't think you can realistically enforce a security boundary between root, and a user account that occasionally elevates.

So stop doing that!

[msm_]

Who are you shouting at?

Going back to the topic of the discussion, making sudo more resilient prevents a whole class of possible bugs (see CVE-2021-3156). You may not like sudo, but it is very commonly used to manage access, prevent accidental errors, or improve accountability on Linux servers and workstations. It is not going away. Therefore, improving sudo is a worthwhile goal and a thing to be celebrated.

[charcircuit]

I'm not shouting.

>sudo more resilient prevents a whole class of possible bugs

Good, but this doesn't fix the easiest way to escalate privileges as an attacker through sudo. Memory safety doesn't help people who run "curl | sudo bash" to install a random program from the internet.

>It is not going away.

But if work is done it could become very niche and eventually stop getting new usage over time.

[theamk]

> help people who run "curl | sudo bash" to install a random program from the internet.

I don't think you can help those people, unless you seriously lock down the machine to the level of iPhone. Neither Android nor Windows have "sudo" for example, and yet they can get malware just fine... all the difference is instead of the password, user clicks on confirm button a few times.

I advice to (1) think about how you use sudo (2) think what would you replace it with and (3) think how the replacement can be abused by malware.

Here is one example:

(1) Today I used "sudo" to run docker: "sudo -Eg docker docker run..."

(2) the sudo-less replacement would be to add myself to docker group, or switch to rootless docker

(3) If I add myself to docker group, malware can trivially escalate by starting a privileged container. If I switch to the rootless docker, I am weakening security boundary between my primary user and the docker containers I run.

[encrypted_bird]

> I'm not shouting.

In text format, all-caps or the use of an exclamation mark are often used to indicate shouting.

So, it is not unreasonable for people to read your sentence as such.

[z3t4]

What should you do instead?

[rurban]

Capabilities. Proper microkernels already do that

[theamk]

how do they solve sudo's problems though? Exchanging "sudo" with "require-root-capability" or "start-privileged-session" will still have many of the same logic problems.

Unless you mean something like "capabilities are always inherited, and there is no way to increase them", which would mean that sudo-like scripts are impossible, and you need to start all-new session as root user for admin actions. Good news, it's already possible in linux - just don't install "sudo", and maybe set up SELinux to disallow all escalation. Turns out no one wants to do this though.

[rurban]

fine grained.

there's no god-mode who can do everything. there's no universal kernel level. micro means only minimal things happen in the kernel or at root level, like routing messages.

even windows understood that those times, when they did split Administrator from System. linux followed then with system users for certain services. but capabilities only allow certain calls at certain times. there's no setuid 0, only cap this and cap that for this admin user for a certain time range.

BTW, SElinux is the default on a proper linux like Redhat. I use it daily. I also have to adjust the ssh caps, not just the firewall settings. Everybody wants that, just not the debian nobs.

[charcircuit]

Design the system so that you do not need users to escalate to root. Find each use case where a user may want to use sudo and then come up with an alternate way to accomplish that action from a regular account.

[onli]

That would just elevate each regular account to be a root account. There is no other way to make things like modifying files directly under / possible, or to change system configurations. You can lock everything down instead, then you have Android, but then you have certainly not enabled everything a user can do with sudo.

[charcircuit]

>There is no other way to make things like modifying files directly under / possible

It doesn't need to be possible.

>change system configurations

You can have an settings app to configure the system.

>then you have Android

Which is much farther ahead than Ubuntu on security. Ubuntu needs to play catch up.

>but then you have certainly not enabled everything a user can do with sudo.

The goal is not to be able to do everything. The average user doesn't need to be able to do anything. Especially with their regular account.

[lupusreal]

We have that, it's called android.

Anybody who finds themselves using sudo is already well off the beaten path, by their own choice. There's nothing wrong with that.

[charcircuit]

Doing system updates is not off the beaten path.

[zahlman]

Currently, for any given action, the following possibilities are implemented:

* The user may never perform the action (would require sudo, but the user doesn't have sudo rights)

* The user may sometimes perform the action (i.e. only after authenticating with sudo)

* The user may always perform the action (is always implicitly authenticated)

"Being root" is just another name for the last option.

What fourth alternative do you have in mind?

[charcircuit]

>"Being root" is just another name for the last option.

No, it's not. Take for example ping. If we want users to be able to always be able to use ping does that mean they need to be root? No, it doesn't. A privileged part of the OS can handle doing the raw socket and the unpriviledged user can talk to that part of the OS.

The key point is that some operations that require privileges are okay to expose to a user, but giving the user privileges for everything is dangerous.

[jvanderbot]

Those will also have to be fixed/considered, but do not detract from the contribution of removing memory safety bugs which may enable exploits.

[charcircuit]

This is a case of doubling down on bad design. To me it's wasted effort preventing theoretical bugs in niche setups.

[jvanderbot]

I think the opposing view is that moving away from sudo is substantially more effort and would break basically everything to accomplish "the same" thing as robustifying sudo (for some very loose definition of "same")

[charcircuit]

Yes, it's more effort, but it's not close to being the same.

[pixl97]

I mean moving from IPv4 to IPv6 is more effort, but it's not close to being the same...

And it's also why it mostly has not happened for most people.

[a_t48]

Even with a new, perfect paradigm, there would be billions of systems running sudo for years.

[remram]

I don't see how this attack is related to the setuid binary. No matter what method you provide to the user to elevate their privileges, they can be tricked into doing it. If it was provided by a daemon, built into systemd, or anything else, the problem would be the same.

[charcircuit]

It's related because malicous code can use the setuid binary to elevate its privileges.

>If it was provided by a daemon, built into systemd, or anything else

Yes, this is also dangerous.

[remram]

So what's your recommendation? Removing the user?

[hulitu]

> Being a setuid binary means that sudo also suffers from attacks where an attacker runs `sudo ./malware` and then convinces the user to authenticate

So does your OS.

[zahlman]

Do you have in mind a design that enables users to escalate privileges while preventing them from being tricked into escalating privileges?