This takes me to the second bit, that disabling the root account somehow fixes the previously perceived risk. The risk is an unauthorised use, so this is what security measures need to prevent. So, branding this as a major security risk is a misnomer as virtually all of the devices around us have one. Yes, even Windows has one: the SYSTEM account. To say that as a security professional I’m displeased when I see bad security advice is a bit of an understatement.Īll of the operating systems used on the vast majority of the devices have a superuser (typically named “root” on unices/UNIX-like). The sudo alternative is somehow better without assessing its implications of the way it is being used.Disabling root somehow fixes that risk.That the root user is a major security risk.This security meme stems from a few misunderstandings: It is a bad idea no matter how many times this is being recommended. Passworless sudo is like a tweet from It’s just root with extra steps, like having a Docker socket around. Some form of remote audit would keep an audit trail, but I believe the Venn diagram of the intersection between users of passworless sudo and users of remote audit trail (or even users who read auth.log for a change) is 0 (zero). When every process running under that particular user can escalate to root or modify your user’s configuration to inject arbitrary code that can be escalated, the audit trail isn’t worth the bytes for saving auth.log as history can be rewritten. There’s only one benefit: protection against incompetence i.e a bad command typed without the sudo prefix won’t destroy a system. So, what’s so bad about passwordless sudo? Well, it fails to prevent anything from a security perspective. There are good reasons why some jobs are better left for professionals. I believe it’s actually worse than not employing such measures as it gives a false sense of security. I believe the definition of security theatre says it all: “the practice of taking security measures that are intended to provide the feeling of improved security while doing little or nothing to achieve it”.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |