Is Sudo Almost Useless?

Do people work under the assumption that sudo is meant to protect against malicious actors? I always considered it an administrative tool to differentiate between authorized users and administrators. You can, for example, limit a user to only running `sudo service` so they can log in an restart a service, but not make any other changes.<p>I thought the general strategy was to not give daemon accounts shell access at all. Getting shell access is the hard part for a malicious actor. Once you have shell, root access is just a matter of finding a piece of unpatched software with a privilege escalation exploit out there. Plus, there&#x27;s still a lot of damage you can do without root access.

&gt; The only purpose of sudo is to protect you from yourself, that is, to avoid messing up your system by mistake.<p>This is one reason I increasingly don&#x27;t like the normal Linux distro &quot;system packages, <i>plus</i> everything else under the sun, with one interface and all co-mingled&quot; default package management solution. I big fat &quot;update the system&quot; (or don&#x27;t) button with my user-installed packages totally separate, as I get with macOS, is nicer. This made worse because, unless you&#x27;re self-managing the base system and keeping it super minimal (as one might in Gentoo, Arch, or Void) Linux installations are weirdly fragile, I think in part because of this too-large package ecosystem all tied up with the &quot;core&quot; of the OS.<p>Especially on a single-user system, I should be able to install most software without escalating privileges. I should be able to blanket-update my user-facing software without any risk whatsoever that a kernel update will get thrown in with that (even if I don&#x27;t read over the list to check—it shouldn&#x27;t even be possible), nor with privileges to perform such even if it somehow did try to sneak in. I ought to be able to delete the directory with my user-installed packages and the system still boots with no errors or warnings—and yes, with a GUI and audio and networking and all that still working.<p>I know Nix and even a Homebrew port (with worse package availability, though) are options for achieving something kinda like this but it still feels like swimming against the current.

Sudo serves one purpose well: for admin users to become root <i>with an audit trail</i>.<p>Why in 2020 do we still have non admin users on a host? Services! I still have non-admin users on my hosts for www, databases, etc.<p>Without sudo, the alternative would be for ssh to PermitRootLogin which is theoretically safe if root has a strong password etc, but in practice — should there ever be a bug in openssh that exploits permissive root logins — would needlessly expose systems to such a bug.

The stack exchange post is asking specifically for Desktop users.<p>But for shared linux servers, sudo is very useful. It allows controlling which users are allowed to administer the system. (Generally, people who aren&#x27;t sudoers can only view log files or do other readonly things). It&#x27;s much better than letting people login as root directly since it keeps an audit trail of who is actually administering the device (they will show up using the `users` command, for example).<p>I rarely use sudo to do any fine-grained access control - it&#x27;s almost always an all-or-nothing configuration - specific users are granted full access (with passwords), and everybody else gets none. I suppose this means that I use only 5% of it&#x27;s functionality, but this 5% is quite useful.

Sudo provides access control for root access, it&#x27;s definitely not useless. Sudo allows for logging and locking of root actions. Those settings can be configured irresponsibly and lead to compromise for sure, but the main purpose is creating a sense of order to who can access what protected resources. Without sudo (or doas, or something like that), you&#x27;re just running su whenever you want without real access control. For a timeshared system with a lot of users, handing out root in this fashion is especially irresponsible.

The most important feature of sudo isn&#x27;t what it does, but what it doesn&#x27;t do.<p>What it doesn&#x27;t do is run everything with root permissions giving every process you run access to the entire filesystem, which is what you would be doing without it.

sudo is great for phishing. If I want to take over a system, I just need the users password. Given that sudo is almost never set up correctly and is unrestricted to anyone allowed to use it, I just send a script that requires sudo, capture the password, then relay the password in a DNS request back to myself. All in good red teaming fun, of course.

Our teams do not use sudo primarily to gain root privileges. We use `sudo sh` to switch contexts to a non-root user with different privileges. This allows us to modify web application code in the security context that it executes in (lower privilege).<p>Occasionally we do need to access system level resources, and `sudo` allows us to do this in a way that forces us to acknowledge that we are doing something more dangerous. However, we prefer using automation tools such as Chef to accomplish those things in a measured, repeatable way.

I work in a mixed environment of both Windows and Linux and in my opinion sudo is very similar to Windows UAC and local admin rights. In that, you can give someone access to a computer without sudo or local admin rights and they won&#x27;t be able to make any system-wide changes. But for someone who does have sudo or local admin rights, then it&#x27;s just a safeguard that should hopefully make the user think twice before escalating their privileges.<p>If a Windows user is tricked into downloading some malware, and runs it by using their local admin rights to bypass the UAC prompt, then the system is owned. I believe this is the same risk with sudo, although the hope is that the extra authentication prompt gives the user the opportunity to re-evaluate whether or not they want to run the command as a privileged user.

1. There&#x27;s value in sudo (or su, or ssh root@localhost, or whatever alternative you like to logging in directly as root) as a safety measure, which is different from a security measure. Not having a paper towel holder wall-mounted above your stove is a great idea to prevent accidental fires, but it&#x27;s completely irrelevant to stopping an arsonist. It&#x27;s worth distinguishing these two cases.<p>2. sudo can be used for both running a limited set of commands and for running an unrestricted set of commands. These are also two different cases. It&#x27;s a bit tricky to ensure your limited set of commands are secure (you need to make sure none of the commands allow you to run unconstrained commands in turn), but if you do it, that <i>is</i> a meaningful security limit compared to giving a user account unrestricted sudo or running that code as root. This isn&#x27;t usually relevant for typical desktop systems, but if you&#x27;re looking at designing some more involved deployment, it&#x27;s relevant.<p>3. For a multi-server deployment with a team of sysadmins, the question isn&#x27;t really about sudo vs. su vs. ssh as root - the question is about the chain of accounts between a sysadmin&#x27;s keyboard and their privileged shell. If you can come up with a design where the account that they can use (directly or indirectly) to log into root is more highly trusted than their everyday account (the one they use for downloading software from the web and trying it out, running code written by other people in the company, etc.), <i>then</i> there&#x27;s a meaningful benefit. There&#x27;s a lot of ways to do that. One is to allow them to log in from their workstation&#x27;s account to both a privileged sysadmin account with sudo and an unprivileged everyday one, and they do their work logged in elsewhere with the unprivileged account. One is to allow them to log in from their workstation&#x27;s account directly to root, or to an unprivileged everyday account - it&#x27;s weaker in terms of auditing but it has the same security properties as the previous solution. One is to set up multiple local accounts on their workstation, one privileged and one not, so they can work locally with their unprivileged account. The important bit is that the unprivileged account can&#x27;t escalate to the privileged one. It doesn&#x27;t matter if it does so with sudo or with su or with ssh or whatever, all of those can be used to escalate privileges.<p>If you really want, you <i>can</i> apply the scheme above to your desktop system. Make two accounts, have one be an admin account and one not. If you&#x27;re installing drivers etc. switch to the admin account, but otherwise work in the non-admin account. If the non-admin account gets broken into, you can reliably use the admin account to wipe it and restore from a known-clean backup. That&#x27;s generally annoying in practice, though.

It&#x27;s definitely a design flaw that sudo doesn&#x27;t use a secure attention key, and because of that, it adds no security at all in its normal configuration. But implementing that is probably impossible given the Linux desktop&#x27;s lack of overarching design, and the fact that nobody cares about it (even a basic login doesn&#x27;t have a SAK; Windows had that back in Windows 2000).<p>I&#x27;m pretty sure X doesn&#x27;t support SAKs at all - any program can intercept any keystrokes. Maybe Wayland does, but then you somehow need to integrate your sudo binary with Wayland. And good luck getting that to work over SSH.

Security is about trade offs. Talking about absolutes makes barely sense in this context, because any perfectly secure system is also perfectly useless.<p>Despite the chosen solution on SO - and from how the question is stated, it is clear that the asker only wanted confirmation -, sudo has its uses, even if is not perfectly secure (especially with the default configuration).<p>I suggest a more sensible approach for all security-related discussions: All systems have vulnerabilities, but some improve your security posture.

I just always login as root. As long as I&#x27;m careful, I don&#x27;t think I&#x27;ll get infected. If I&#x27;m not careful, sudo will anyway not save me.

One thing sudo does is prevent a local app takeover from completely owning your system. In particular, it can prevent a ransomware type attack from being able to touch your backups and makes it more difficult for the attackers to leave a persistent trojan in your system, especially the kind that can survive a reformat&#x2F;reinstall or one that sniffs your network traffic.

To each their own, but in my experience, both professionally and personally, I find `sudo` to be mostly useless, and an annoyance at best (which can be good for some people, just not me). My typical use-case for `sudo` is: <i>do X</i>, oh, I need sudo permissions, <i>sudo !!</i>.<p>Any time I&#x27;m on Linux, I usually operate as root to avoid this annoyance and I put more weight into securing the machine in other ways - IP restrictions, cycling keys, cycling the servers, etc.<p>Sudo can prevent rookie mistakes, like wiping an OS or removing certain directories, but I consider most machines I work on to be ephemeral anyways, and anytime I make one of these mistakes it is a reminder to not do that next time - I prefer this to being hand-held and denied access superficially.<p>Oddly though, I do like that `sudo` exists in its current form, for people who are not as experienced. For me personally, I almost never interact with it.

Here&#x27;s my question: should we just give up on using Unix permissions (or ACLs) for access control, and just containerize everything to limit access? That seems to be where things are headed.

sudo is like CICD in the respect that it protects you from yourself.

sudo does what it is supposed to do - run commands as a specific user. Without entering password every time you run a command (because of caching). Depending on parameters it will also evaluate some parameters for that user.<p>If you don&#x27;t have particular use for it, just don&#x27;t use it.

Anything is better than having root account enabled.

Yes, it&#x27;s mostly useless but it&#x27;s also interesting to consider sudo in the context of its history, and how computing has changed in a way that&#x27;s made it less useful.<p>sudo was most useful when computing mostly occurred in shared runtime multiuser environments, as found in many research universities from the 1970s through the early 2010s. It was useful in this situation because it allowed selective granting of privileges to regular users (students, researchers, professors) to run commands otherwise only available to the superuser (sudo = &quot;substitute [root] user do&quot;).<p>Those were the days of asking your sysadmin for root access to do something potentially dangerous to the system or disruptive to other users on the shared Unix system (i.e. running the &quot;shutdown&quot; command, or listening on a reserved network port). sudo allowed the sysadmin to trust specific users with certain commands they wouldn&#x27;t otherwise be able to run.<p>sudo (and its GUI equivalents) was then adopted into personal computer OS&#x27;s as part of the first push to secure consumer OS&#x27;s against their own users corrupting them inadvertently, or via the emerging problem of computer viruses. At the time, consumer OS&#x27;s (win3.x - win95, original MacOS) ran all software with administrative privileges.<p>Those OS&#x27;s were replaced by enterprise equivalents that were designed with stronger access control features (windows NT, and the BSDs that became MacOSX).<p>The idea was that common tasks of the time (i.e. word processing, spreadsheets) would run as regular user accounts, and things like installing software or changing system settings would trigger a password prompt), just as happens in an enterprise or shared multiuser environment.<p>But consumer OS&#x27;s basically have a single logged-in human user at a time. Thanks to the web, when computation needs to happen on a remote, shared compute machine, it happens over some form of RPC or API. Other concurrent &quot;users&quot; on most computers are usually system processes, not real users. How many of us login into a remote <i>shared</i> &quot;compute&quot; system anymore? Heck how many of us even remember doing that?<p>Mobile OS&#x27;s, and increasingly desktop OSs are evolving into managed runtime environments, which by design have no facility for &quot;root&quot; access at all, often to the chagrin of tinkerers who miss having the ability to modify OS internals. Even server-based apps are designed to run in containers that run in managed server environments.<p>Anymore, there&#x27;s hardly a good reason to design most systems and software to require root access to install or run anymore. And yes, there are exceptions to this but those are usually for legacy software, or very specialized use cases like OS development itself.