Going back to the topic of the discussion, making sudo more resilient prevents a whole class of possible bugs (see CVE-2021-3156). You may not like sudo, but it is very commonly used to manage access, prevent accidental errors, or improve accountability on Linux servers and workstations. It is not going away. Therefore, improving sudo is a worthwhile goal and a thing to be celebrated.
>sudo more resilient prevents a whole class of possible bugs
Good, but this doesn't fix the easiest way to escalate privileges as an attacker through sudo. Memory safety doesn't help people who run "curl | sudo bash" to install a random program from the internet.
>It is not going away.
But if work is done it could become very niche and eventually stop getting new usage over time.
> help people who run "curl | sudo bash" to install a random program from the internet.
I don't think you can help those people, unless you seriously lock down the machine to the level of iPhone. Neither Android nor Windows have "sudo" for example, and yet they can get malware just fine... all the difference is instead of the password, user clicks on confirm button a few times.
I advice to (1) think about how you use sudo (2) think what would you replace it with and (3) think how the replacement can be abused by malware.
Here is one example:
(1) Today I used "sudo" to run docker: "sudo -Eg docker docker run..."
(2) the sudo-less replacement would be to add myself to docker group, or switch to rootless docker
(3) If I add myself to docker group, malware can trivially escalate by starting a privileged container. If I switch to the rootless docker, I am weakening security boundary between my primary user and the docker containers I run.
how do they solve sudo's problems though? Exchanging "sudo" with "require-root-capability" or "start-privileged-session" will still have many of the same logic problems.
Unless you mean something like "capabilities are always inherited, and there is no way to increase them", which would mean that sudo-like scripts are impossible, and you need to start all-new session as root user for admin actions. Good news, it's already possible in linux - just don't install "sudo", and maybe set up SELinux to disallow all escalation. Turns out no one wants to do this though.
there's no god-mode who can do everything. there's no universal kernel level. micro means only minimal things happen in the kernel or at root level, like routing messages.
even windows understood that those times, when they did split Administrator from System. linux followed then with system users for certain services.
but capabilities only allow certain calls at certain times. there's no setuid 0, only cap this and cap that for this admin user for a certain time range.
BTW, SElinux is the default on a proper linux like Redhat. I use it daily. I also have to adjust the ssh caps, not just the firewall settings. Everybody wants that, just not the debian nobs.
There is omitted detail here. Capabilities are a great way to determine access control (IMO, they are essential in general as a user-facing model too). However, that still leaves the question of who gets what capabilities. For the network service to be able to hand out network capabilities, it itself must have at least as much authority, and it had to get that authority from some other source of capabilities. There must be some privileged component that forges all capabilities, and actually distributes enough authority to make the system usable. For example, as soon as a human user becomes relevant, the system's user-avatar must be able to command authority, in a way that may seem sweeping. This could mean directly or indirectly changing which program is the network service, which means the ability to influence all networking activities, which is no small authority.
An agent logically has all the capabilities necessary to do what the agent should be able to do. The sum of capabilities of an agent indicates "the worst that can happen" if the agent is malicious. It makes sense that if a network service is malicious, all networking activities can be subverted. Still, the storage activities shouldn't be subverted, and of course the network service wouldn't have the storage service capability. However, if a user is malicious, anything could go wrong that the user is normally trusted to not make go wrong. Correspondingly, the user must have an expansive sum of capabilities.
Capabilities are themselves simple, but that is the mechanism perspective. Access control policy is an entirely different beast, and any mechanism at best minimizes the risks.
This all sounds very reasonable as long as servers/services are involved. Linux has capabilities for this purpose, and systemd goes a long way towards the vision you describe - daemons which do not need root and instead get all capabilities from the supervisore process.
However, were were talking about "sudo" and this is purely interactive tool (I am sure some people run sudo non-interactively, but we can all agree it's a bad security practice). So, how does this nice capabilities vision mesh with the idea of "administrator user"?
From what I see, it's not much different. Instead of "sudo" which verifies user identity+permissions and then gives out "root" or some other user, we have some other hypothetical tool ("become-admin"?) which verifies user identity+permission and gives out powerful system-changing capabilities. Frankly, I don't see much difference - it's the same security model either way.
(A related argument I've seen is "you should not need sudo for common tasks like update software or configure network" - but on modern Linuxes, you don't need sudo for that already, this is done via dbus + polkit calls. No "proper microkernels" required, that is already deployed everywhere.)
I was also the one who wrote a sibling comment saying that capabilities aren't magical, but I do think they are excellent as far as any mechanism goes. Linux doesn't nearly go far enough in capability-based security, and merely adapting practices fails to make full use of capabilities. It's a bug if I have to verify my identity often for a routine task, whether it's through sudo or polkit. User friction is bad for security in many ways. Instead, configure the service once to have the capabilities you would give it each time anyways. Take it out of the user's hands and set it down on the desk (still in their control, just not taking up space). polkit is not quite there, whereas capabilities easily confine all programs (don't have to support polkit), are trivially flexible in behavior while being both secure and invisible by default, and provide control to the proper agents (users and involved programs). Capabilities turn access control from a hard problem plus various pitfalls to just a hard problem. Rather than an incrementally better solution, changing paradigms here is a good idea. Although Unix already most has capabilities through file descriptors, so in some sense its "everything is a file" philosophy can't go far enough.
Design the system so that you do not need users to escalate to root. Find each use case where a user may want to use sudo and then come up with an alternate way to accomplish that action from a regular account.
That would just elevate each regular account to be a root account. There is no other way to make things like modifying files directly under / possible, or to change system configurations. You can lock everything down instead, then you have Android, but then you have certainly not enabled everything a user can do with sudo.
Sounds like you don't want a Linux system, but rather a Chromebook. Have you seen https://chromeos.google/products/chromeos-flex/ ? Install it on your computer and you get Android-like security model, including only verified software and lack of "sudo" or any sort of root access.
A Chromebook is a Linux system. My concern is with Ubuntu improving their security posture. Telling Canonical to give up on Ubuntu and switch everyone over to ChromeOS is not something that I predict would work.
Using GNU/Linux at all is. Choosing to use such an operating system and then also choosing to do your updates from a terminal emulator is even further off the beaten path.
The beaten path is the defaults. Windows and MacOS particularly.
And system updates don't need sudo on desktops, it is not 1990's anymore... GUI apps like software-properties-gtk use dbus with polkit auth to upgrade software without any involvement of "sudo" or giving root access to users.
>"Being root" is just another name for the last option.
No, it's not. Take for example ping. If we want users to be able to always be able to use ping does that mean they need to be root? No, it doesn't. A privileged part of the OS can handle doing the raw socket and the unpriviledged user can talk to that part of the OS.
The key point is that some operations that require privileges are okay to expose to a user, but giving the user privileges for everything is dangerous.
Going back to the topic of the discussion, making sudo more resilient prevents a whole class of possible bugs (see CVE-2021-3156). You may not like sudo, but it is very commonly used to manage access, prevent accidental errors, or improve accountability on Linux servers and workstations. It is not going away. Therefore, improving sudo is a worthwhile goal and a thing to be celebrated.