[CentOS] server is always getting hacked
Warren Young
warren at etr-usa.com
Wed Jul 1 21:47:01 UTC 2009
Michael A. Peters wrote:
> I still don't understand how using sudo instead of su makes it more secure.
Let's start with the simple case where only one person needs superuser
type privileges on a given machine. What, then, is the difference
between sudo and su -? There has to be one all-powerful superuser on
such a machine, right?
That's true, but it ignores human nature. Human nature, in a world
without sudo, is to leave a root terminal up all the time so you don't
have to keep su'ing up to root and then logging back out. The default
configuration for sudo ameliorates this problem by remembering your
password for a short time, so you can do another sudo command shortly
after without giving your password again. Once the user stops invoking
sudo long enough to let the timer expire, root privileges are
automatically revoked.
This has two main benefits to security:
1. On walking away from your computer, you're less likely to leave it in
a state that gives anyone walking up to it root access.
2. The extra "sudo" prefix you need in front of every command you want
run as root makes it less likely that you will accidentally run a
command as root that you should only run as a regular user.
Now take the more common case for an enterprise distro like CentOS,
where more than one person needs some level of superuser access. sudo
provides more benefits in that case:
1. You don't have to give the all-powerful root password to as many
people. sudo controls access to superuser privileges by asking for that
user's account password, not the root password. When it comes time to
take superuser privileges away from someone, that user can just be
removed from /etc/sudoers; you don't have to change the root password
and redistribute it. If you don't know why frequent password
redistribution is a problem, you haven't been an admin very long.
2. With su, it's all-or-nothing. Once you have a root shell, there's
nothing you can't do, barring some MAC type system, and that affects
anyone with root access equally. sudo lets you give access to just
those commands that a given admin needs. Maybe you have a dedicated web
admin, so you let him run apachectl through sudo. He has no legitimate
need to run any other commands as root.
3. sudo logs all commands executed through it. su doesn't. You could
maybe configure bash to log commands, but then you run into Big Brother
issues if you don't somehow do it only for bash when run as root. Even
if you did that, now you have to do it for all shells on the machine,
else the first command a bad actor did on the machine would be to open a
different sub-shell to escape the prying auditor eyes. (Clearly for
this to be a security feature, you need to have syslogd configured to
redirect logs to another machine that doesn't allow remote access.)
This doesn't prevent security breaches, just helps figure out what
happened after one does occur. Coupled with an IDS, it can even give
you early warning that security has been breached.
More information about the CentOS
mailing list