Reply
 
Thread Tools Display Modes
  #1  
Old 11-02-2011, 05:22 PM
fluca1978 fluca1978 is offline
Senior Member
 
Join Date: Mar 2011
Posts: 364
Thanks: 3
Thanked 22 Times in 16 Posts
Default sudo with root password?
Hi,
I noted that sudo on pcbsd (and maybe in freebsd too) is configured to ask the target user password:

Code:
## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
Defaults targetpw  # Ask for the password of the target user
Now what is the rationale behind this? After all having this settings does not provide any sudo improvement, while having users prompted for their password allows them to not know super user (or target user) password being still able to run commands. Any hint is appreciated.
Reply With Quote
  #2  
Old 11-02-2011, 05:45 PM
kmoore134's Avatar
kmoore134 kmoore134 is offline
Administrator
 
Join Date: May 2005
Location: Knoxville, TN
Posts: 2,568
Thanks: 0
Thanked 163 Times in 127 Posts
Default sudo with root password?
The rationale is so that users can easily run something like "sudo
leafpad" or some other GUI, and not need to remember the right "su"
flags variables to make it work.

I'm not a fan of letting users run sudo with their own password by
default. You are welcome to use it, but I feel by default it is a
unnecessary security risk. I have systems here where the user needs
their PW to login, but I don't want them to have root access. Again, its
just a default though, so if you want something different, feel free to
modify it
__________________
----
Kris Moore
PC-BSD Founder
Reply With Quote
  #3  
Old 11-03-2011, 04:48 PM
fluca1978 fluca1978 is offline
Senior Member
 
Join Date: Mar 2011
Posts: 364
Thanks: 3
Thanked 22 Times in 16 Posts
Default
Originally Posted by kmoore134 View Post
I'm not a fan of letting users run sudo with their own password by
default. You are welcome to use it, but I feel by default it is a
unnecessary security risk.
This is really interesting. However I don't understand why running sudo with user passwords should be a security risk, since you (the admin) are granting sudo permissions to users, and this is the same as giving the root password. The only difference I can see is that users tend to have simple passwords, that can allow a brute force attack. On the other hand, root is the account on which performing a brute force attack, so again I think security risks and advantages are equal. Please correct me if I'm wrong, because this is an interesting topic.
Reply With Quote
  #4  
Old 11-03-2011, 05:15 PM
kmoore134's Avatar
kmoore134 kmoore134 is offline
Administrator
 
Join Date: May 2005
Location: Knoxville, TN
Posts: 2,568
Thanks: 0
Thanked 163 Times in 127 Posts
Default sudo with root password?
Again, we are talking about defaults here, and not remote breakins /
brute-force attacks. (They can do that with "su" as well).

I'm thinking of the case where we do an install of the desktop and give
somebody the KDE username / password to log into the desktop. If the
default of sudo is to only ask for the users password, we may have just
given them root access to the box. So in this case, there was no
intentional giving of root access, but because of the default config,
the user now has it.

The way it is now, users who know the root password, are welcome to use
sudo to run a variety of commands, and more advanced users can modify
it's config to their specific liking.
__________________
----
Kris Moore
PC-BSD Founder
Reply With Quote
  #5  
Old 11-04-2011, 07:39 AM
fluca1978 fluca1978 is offline
Senior Member
 
Join Date: Mar 2011
Posts: 364
Thanks: 3
Thanked 22 Times in 16 Posts
Default
Originally Posted by kmoore134 View Post
I'm thinking of the case where we do an install of the desktop and give
somebody the KDE username / password to log into the desktop. If the
default of sudo is to only ask for the users password, we may have just
given them root access to the box. So in this case, there was no
intentional giving of root access, but because of the default config,
the user now has it.
Thanks, it is really clear now.
Reply With Quote
  #6  
Old 06-04-2012, 03:05 PM
fluca1978 fluca1978 is offline
Senior Member
 
Join Date: Mar 2011
Posts: 364
Thanks: 3
Thanked 22 Times in 16 Posts
Default
It seems that on 9.0-RELEASE this is no more true and sudo configuration does not ask for the target password but for the current user one (I was trying it on a snapshot when I first wrote this thread). So the behavior of sudo has changed to that of other environments?
Reply With Quote
  #7  
Old 06-04-2012, 04:06 PM
kmoore134's Avatar
kmoore134 kmoore134 is offline
Administrator
 
Join Date: May 2005
Location: Knoxville, TN
Posts: 2,568
Thanks: 0
Thanked 163 Times in 127 Posts
Default sudo with root password?
Thanks for the heads up. I've fixed this now, looks like something got
reverted mistakenly.
__________________
----
Kris Moore
PC-BSD Founder
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 06:16 AM.


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.

Copyright 2005-2010, The PC-BSD Project. PC-BSD and the PC-BSD logo are registered trademarks of iXsystems.
All other content is freely available for sharing under the terms of the Creative Commons Attribution License.