Hacker Neue

Preferences
MajesticHobo2 parent
Right, but now the vector for privilege escalation will have to be a logic bug in memory-safe sudo instead of either a memory corruption (see CVE-2021-3156) or a logic bug. It’s hard not to see this as a major improvement.
h4ck_th3_pl4n3t
A major improvement would be to get rid of glibc altogether. As long as glibc is the default, the problems persist.
charcircuit
Being a setuid binary means that sudo also suffers from attacks where an attacker runs `sudo ./malware` and then convinces the user to authenticate. Depending on how sudo authenticates phishing attacks or password reuse from another breach can be used to escalate privileges.
im3w1l
I don't think you can realistically enforce a security boundary between root, and a user account that occasionally elevates.

You can enforce a boundary between root and an account that never elevates though. And as far as I understand hardening sudo helps with that.

IshKebab
Why not? The way Windows does it should work in theory I think?

Maybe you can't realistically do it on Linux, because Linux doesn't care about desktop security and doesn't have the kind of privileged GUI that you need.

im3w1l
Windows is a bit different I suppose. Many pieces come together to make it kinda work there.

* Privileged gui to display and approve what will run as you mentioned. In Linux, non-privileged gui is used to request permission to do... something.

* Executable verification. Let's say someone with user level permissions swaps out the program you wanted to run for a malicious one. The replacement would not pass certificate checks which would be revealed in the privileged gui. Maybe you could supply an old version with known vulnerabilities though idk?

* Kinda commandline parameters verification. In Linux-land you can pass parameters to the program those could be intercepted with user-level permissions. In Windows this would be displayed in the privileged gui. However! The parameters are only visible if you click "show more" which I would guess <1% of people actually do.

As an example of the last point I tested making a shortcut to cmd.exe and used Run As Administrator. Then I changed the shortcut to C:\Windows\System32\cmd.exe /c calc and again did Run As Administrator. Opens calculator instead of command prompt with identical approval gui (except with show more).

reissbaker
The way Windows does it is users are prompted to elevate permissions, and can be tricked into clicking "Yes," just like users can be tricked into using sudo.
IshKebab
Well yeah you can't enforce any security boundary if your threat model includes "user might be tricked".

It can't be enforced on Linux because `sudo` can be trivially MitM'd, but you can't do that on Windows because it's just a click.

3 More Comments →
charcircuit
>I don't think you can realistically enforce a security boundary between root, and a user account that occasionally elevates.

So stop doing that!

msm_
Who are you shouting at?

Going back to the topic of the discussion, making sudo more resilient prevents a whole class of possible bugs (see CVE-2021-3156). You may not like sudo, but it is very commonly used to manage access, prevent accidental errors, or improve accountability on Linux servers and workstations. It is not going away. Therefore, improving sudo is a worthwhile goal and a thing to be celebrated.

charcircuit
I'm not shouting.

>sudo more resilient prevents a whole class of possible bugs

Good, but this doesn't fix the easiest way to escalate privileges as an attacker through sudo. Memory safety doesn't help people who run "curl | sudo bash" to install a random program from the internet.

>It is not going away.

But if work is done it could become very niche and eventually stop getting new usage over time.

2 More Comments →
z3t4
What should you do instead?
rurban
Capabilities. Proper microkernels already do that
5 More Comments →
charcircuit
Design the system so that you do not need users to escalate to root. Find each use case where a user may want to use sudo and then come up with an alternate way to accomplish that action from a regular account.
12 More Comments →
jvanderbot
Those will also have to be fixed/considered, but do not detract from the contribution of removing memory safety bugs which may enable exploits.
charcircuit
This is a case of doubling down on bad design. To me it's wasted effort preventing theoretical bugs in niche setups.
jvanderbot
I think the opposing view is that moving away from sudo is substantially more effort and would break basically everything to accomplish "the same" thing as robustifying sudo (for some very loose definition of "same")
charcircuit
Yes, it's more effort, but it's not close to being the same.
pixl97
I mean moving from IPv4 to IPv6 is more effort, but it's not close to being the same...

And it's also why it mostly has not happened for most people.

a_t48
Even with a new, perfect paradigm, there would be billions of systems running sudo for years.
remram
I don't see how this attack is related to the setuid binary. No matter what method you provide to the user to elevate their privileges, they can be tricked into doing it. If it was provided by a daemon, built into systemd, or anything else, the problem would be the same.
charcircuit
It's related because malicous code can use the setuid binary to elevate its privileges.

>If it was provided by a daemon, built into systemd, or anything else

Yes, this is also dangerous.

remram
So what's your recommendation? Removing the user?
hulitu
> Being a setuid binary means that sudo also suffers from attacks where an attacker runs `sudo ./malware` and then convinces the user to authenticate

So does your OS.

zahlman
Do you have in mind a design that enables users to escalate privileges while preventing them from being tricked into escalating privileges?

This item has no comments currently.

Keyboard Shortcuts

Story Lists

j
Next story
k
Previous story
Shift+j
Last story
Shift+k
First story
o Enter
Go to story URL
c
Go to comments
u
Go to author

Navigation

Shift+t
Go to top stories
Shift+n
Go to new stories
Shift+b
Go to best stories
Shift+a
Go to Ask HN
Shift+s
Go to Show HN

Miscellaneous

?
Show this modal