Using sudo non-interactively for administration is potentially harmful.

Popular Entries

Monday, March 9. 2009

Using sudo non-interactively for administration is potentially harmful.

It seems to be all the rage, lately, to eschew root shells and run all administative commands with sudo. Sudo is a great tool for allowing otherwise unprivileged users to perform certain tasks for themselves (and thus not having to annoy the sysadmin regularly) and it's also good for keeping logs of what tasks were performed.

However, what I'm seeing is a general trend towards educating people to administer servers by using sudo non-interactively. Eg:

$ sudo /etc/init.d/networking restart

instead of

$ sudo su - # /etc/init.d/networking restart

Ubuntu documentation is notorious for this.

The first method is bad practice because it will automatically drop root privileges as soon as the command has completed. This means that if you've made a mistake, you can potentially lock yourself out of your own server.

The second method will return you to a root prompt after you've run the command, and - importantly - will allow you to check that everything still works. You should always be checking that changes you've made work, before you drop root.

Sounds unlikely? Hardly. Even with the best intentions, mistakes occur. I've seen this problem happen; a person using sudo accidentally nulled the /etc/passwd file and managed to lock himself out of the root account. If this had been able to be done using sudo su - instead, then he would have been able to test that he could still access root, from another window, before logging out of the root account in his original window. Unfortunately, site policies prevented this (although it could be worked around by copying /bin/bash to /tmp and then running sudo /tmp/bash).

And it's not limited to just nulling the password file. There's plenty of things that you can screw up that will lock you out of your server if you don't have a chance to check them first - /etc/shadow, anything under /etc/pam.d, /etc/sudoers, /lib/libpam-ldap.conf to name just a few. In Ubuntu's case, if you make a mess of the sudoers file, you might not even have a root password to fall back on, due to their insane insistence on not creating one at installation time.

Posted by Paul Dwerryhouse in Linux at 10:42 | Comments (0) | Trackbacks (0)

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

No comments

Add Comment

Name
Email
Homepage
In reply to
Comment	To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above: Enclosing asterisks marks text as bold (word), underscore are made via _word_.
	Remember Information? Subscribe to this entry