Re: Yet Another New systemd Feature

Grant Taylor <gtaylor@tnetconsulting.net> writes:

On 5/6/24 14:08, Andy Burns wrote:

I've encountered plenty, not so well controlled, where all it takes
is "sudo su -"

>
That's why I would tend to allow non-SA teams to have sudo with a
specific command (possibly without needing to re-enter their password)
while only allowing the Unix SAs to have `sudo su` et al. access.

I think this is optimistic at best.

One reason is the difficulty of writing correct setuid programs. sudo’s
CVE record shows how hard this is (as if there were any doubt by
now). Some of the historical CVEs stem from it being written in C but
for others the implementation language doesn’t seem to be very relevant.

The other is that impracticality of ensuring the the commands you want
to run don’t allow further escalation. Of course you may be auditing all
the commands you permit in this way but realistically, most people doing
this aren’t.

Some of these issues translate to any other strategy for managing
privilege escalation (there is no free lunch); others don’t. Certainly
getting the escalated process out of the calling user’s environment, as
run0 does, is a real improvement. Being able to remove setuid/setgid
programs from Linux would be a big step forward in security terms.

--
https://www.greenend.org.uk/rjk/