Re: Yet Another New systemd Feature

Grant Taylor <gtaylor@tnetconsulting.net> writes:

On 5/7/24 10:29, Richard Kettlewell wrote:

Certainly getting the escalated process out of the calling user’s
environment, as run0 does, is a real improvement. Being able to
remove setuid/setgid programs from Linux would be a big step forward
in security terms.

>
I don't agree that removing setuid / setgid binaries from systems is
the panacea some make it out to be.

I don’t think I said “panacea”. But it’s pretty obvious that eliminating
them would close down an entire attack class. That’s worth a lot, and
steps toward it should be welcomed.

I also suspect that we may be looking at sudo, et al, slightly
differently.
>
All of the use cases we had at my previous employer were business
justifiable (as in the business benefited from people running the
commands) and had multiple layers of management approval / blessing
for the requestor to be able to run them.
>
So sudo really was a way to conveniently provide the approved commands
without the requestor needing to go through the hassle of checking the
shared password out of a database, logging in as the target user,
running the necessary commands, logging out, and ensuring that the
password was rotated.
>
Sudo was really a way to make it easier for people to access the
privileges that they had already been granted.
>
The more people that need to access a shared account, the more benefit
there is in them not utilizing the shared password for everything.

??? I didn’t say anything about shared accounts. The important part of
the model in which sudo grants access to certain commands only is that
it doesn’t let anyone go beyond those specifically granted privileges.
That’s the tricky bit. Vulnerabilities in sudo itself are relatively
managable (given the level of attention it gets, update channels, etc)
but vulnerable configurations are harder.

--
https://www.greenend.org.uk/rjk/