The Dark Lord has a sinister plan

Against sudo

(Slightly cut down and edited from a long comment left in a script.)

sudo really bites. There are so many problems and limitations with it!

Pattern matching in command rules is by glob rather than regexp. Glob is much more limited; regexp would be so much more useful here. Effectively, glob is useless for any kind of realistic pattern matching. But it's not even the same glob as used in bash: * and ? in sudo's glob can match spaces! This means that * effectively always means "and as many other arguments as you want". Which pretty much ruins the point of filtering arguments in sudo at all. Since you _have_ to use glob if you want to do any kind of nontrivial argument match other than a fully fixed set of arguments. (Since there's no Kleene star or Kleene plus).

Furthermore. the sudoers syntax is convoluted and squirrely. Clearly the result of many incremental hacks to jam in overly-narrow features one at a time instead of a coherent design. The result is messy and unreadable. And then, if you mess up the syntax of your sudoers file (or even just one fragment in sudoers.d) (and this is far too easy considering sudoers's horrible syntax) the result is that sudo always errors out and refuses to do anything useful! This makes it far too easy to lock yourself out of root access on your system altogether on systems where sudo is by default the only way to get to root. Which is some very popular OSs, like OS X and ubuntu. This is a nasty, nasty failure mode.

sudo's sanctioned solution to this problem seems to be that the user should always use visudo to edit a sudo config file, which does prevent this failure mode. But it's stupid to ask a user to remember something like that. And visudo seems to only be capable of changing /etc/sudoers itself, it won't handle fragments in /etc/sudoers.d/. And then there's this other command sudoedit... Why are there two commands for this one (ultra-narrow!) task? sudoedit doesn't even avoid the failure mode.

The sudo config language sucks. Yeah, it can be kinda made use of if you learn the stupid sudoers syntax and dodge around and learn to live with the various limitations. But it's more trouble than it's worth. I'm making use of it in one of my scripts, but i shouldn't have bothered.

Now let's talk about the fact that sudo preserves the $HOME of the invoking user. But no other environment by default. Why???? Maybe I'm stupid but I don't see the point of this. It's totally useless. It just causes confusion every time. This is what causes people to type commands like: sudo su -c "....". Which is just weird. At least it can be turned off, (now that i understand the problem and know how: always use the -i flag with sudo) But why is it the default?

What else? Well, the man page sucks. It's so hard to understand how to write a sudoers, you have to read the whole damn thing carefully to get anywhere. Use of bnf in the man page is not helping. I should be able to understand the basics (not every little detail, just the obvious) by looking in the first few pages, not have to dig down 12 pages to get to the essential meat.

It sucks that you have to specify the fully-qualified path to every binary that you're granting access to. That's just lame. It makes sudoers files less useful and portable and serves no realistic security purpose that I can see.

Now for the biggest issue of all: it's useless and stupid for sudo to even exist in the first place! Sudo is supposed to be a more capable and secure replacement for su, but it fails at this job entirely. The thinking goes something like this: su is bad because it requires you to type the root password all the time to do any system configuration but that's unsafe. Someone might look over your shoulder or capture it with a keylogger or something. (This is a moderately real concern. sudo doesn't solve it, tho.) Supposedly sudo doesn't require you to use the root password. Supposedly you can just use your normal user password instead. Supposedly, you don't even have to have a root password at all.

In fact, this is bunkum. If there is a password which enables root-level access to the system, then that is effectively a root password, regardless of whether you call it a user account or not. I call these accounts that "have sudo" root-equivalent accounts. Effectively, sudo is encouraging people to run everything as root, by telling them to set up root-equivalent accounts.

As far as i can see, there are 2 things sudo does above su which a slightly nice: it enables logging of commands run as sudo and root permissions revokable on a per-user basis.

Per-user revokability is a nice feature, but it can be achieved in o ther ways. Anyway, if you can't trust your admins (even former admins), to stay off machines they're no longer allowed on, then you have bigger problems. There are so many ways for a malicious admin to leave a backdoor onto a server.

I'm surprised that admins of big-server environments are willing to allow such a steaming pile of shit onto their machines at all, even less playing such an important security role. In short, the problems and annoyances of sudo are many, and the advantages are really of only limited utility in large organizations with lots of admins. Sudo makes no sense whatsoever on (either desktop or server) systems with only one or even 2 or 3 users. So, why is it pre-installed and the the default on manifestly single-user desktop systems like Ubuntu and OS X?

This entry was posted on Thursday, April 14th, 2016 at 1:19 pm