$Id: SECURITY,v 1.3 2003/05/23 02:18:03 hbo Exp $ Security Considerations in Implementing Sudoscript How secure is sudoscript? The answer could be "not very," or "as secure as sudo." By itself, sudoscript does not confer any privilege or validate any credentials. It relies on sudo completely for those functions. Sudo itself can be configured to be fairly secure, or not secure at all. Unfortunately, configuring it for use with sudoscript tends to lean toward the latter condition. Giving People Root Access In its default mode, sudoscript enables (using sudo(8) and script(1)) an audited root shell. This is an inherently insecure thing to do because root owns all permissions in most Unix-like systems and can evade any audit trail the systems administrator tries to impose. There are very simple, and possibly innocent ways to do this. For example, on a system with X11, a simple xterm (or other X11 terminal program) will open a new, unaudited shell in a new window. Any other GUI application will be similarly unaudited. There are many, many other ways in which a root enabled user could evade sudoscript's audit trail. So the upshot of all this is, don't use sudoscript to give people root shells unless you trust them. Another possibility is that you may be forced into giving someone such a shell. In that case, sudoscript will give you an audit trail until the user decides to do something to evade it. Giving People non-Root Shells A new feature of sudoscript as of version 2.1.0 is the ability to run audited shells as users other than root. This narrows the scope of what a malicious user might do to evade the audit trail sudoscript provides. Unfortunately, there are still at least two ways (and probably more) that a user can do this. First, an xterm will still open an unaudited window. Second, with the current sudoscript architecture, a user must be able to write to the named pipe connected to the logging daemon. ANY terminal output in the audited shell will be written to the pipe. So a clever user could do something bad, then simply cat(1) a file containing a very large, but innocent terminal session to his or her screen. After a certain point, the sudoscript log files will turn over enough times to flush the evidence of the bad action off the system. There are defensive steps sudoscriptd could take to minimize some of the obvious attacks. The daemon could watch for large quantites of similar data, as would result from a 'dd if=/dev/zero ..' or random data such as from 'openssl rand LARGENUMBER'. And having a very large logging partition would help deter such attacks. Also, looking at the timestamps might show suspiciously rapid command invocation in the case of a phony login session. But the weakness is open ended, since an attacker can choose practically any data to throw at the logging daemon. Frankly, I can't think of any way an application like sudoscript running on a more-or-less standard version of Unix could get around this completely. Because of this, I haven't taken the trouble implement any of the defensive steps outlined above. Conclusion Sudoscript was written in an environment where users already had root. (For details see http://egbok.com/sudoscript/PORCMOLSULB.html) In that environment, I was not concerned that my users would deliberately break system security. I was more concerned that they might inadvertently screw-up their systems. Sudoscript allowed me to have a recent audit trail of user activity to consult when something went wrong. It has saved my and my users' bacon many times. Used in that way, sudoscript is a useful tool. Used to try to enforce accountability on a hostile user population, it has dubious value in my opinion.