Linux Fu: The Root Cause

There was a time when real system administrators just logged into Unix systems as root. But as we all know — with great power comes great responsibility. It’s too easy to do terrible things when you are really just trying to do normal work, and, on top of that, malicious software or scripts can do naughty things without you noticing. So common practice quickly changed to where an administrator had a personal account but then had a way to run certain programs “as root” which means you had to deliberately decide to wield your power.

Before long, people realized you don’t even need a root login account. That way, an attacker can’t try to log into root at all. Sure, they could still compromise your account, but a random hacker knows you might have a root user, but it is harder to guess that your login ID is JTKirkJr or whatever.

There are other ways to control what users can do, but many Linux and Unix installations still use this model. The root can do everything but login, and specific users get the privilege to do certain things.

Continue reading “Linux Fu: The Root Cause”

Linux Fu: Superpowers For Mere Mortals

You can hardly mention the sudo command without recalling the hilarious XKCD strip about making sandwiches. It does seem like sudo is the magic power to make a Linux system do what you want. The only problem is that those superpowers are not something to be taken lightly.

CC-BY-NC-2.5 by [XKCD]
If you are surfing the web, for example, you really don’t want to be root, because if someone naughty takes over your computer they could do a lot more harm with your root password. But still, there are times when you want to run certain commands that are normally root-only and don’t want to bother with a password. Luckily, sudo can handle that use case very easily.

Why?

As a simple example, suppose you like to shut your computer down at the end of the day. You run the shutdown command from the terminal but it doesn’t work because you aren’t root. You then have to do it again with sudo and if you haven’t logged in lately, provide your password. Ugh.

Continue reading “Linux Fu: Superpowers For Mere Mortals”

This Week In Security: Sudo, Database Breaches, And Ransomware

We couldn't resist, OK?
Obligatory XKCD

Sudo is super important Linux utility, as well as the source of endless jokes. What’s not a joke is CVE-2021-3156, a serious vulnerability around incorrect handling of escape characters. This bug was discovered by researchers at Qualys, and has been in the sudo codebase since 2011. If you haven’t updated your Linux machine in a couple days, you may very well be running the vulnerable sudo binary still. There’s a simple one-liner to test for the vulnerability:

sudoedit -s '\' `perl -e 'print "A" x 65536'`

In response to this command, my machine throws this error, meaning it’s vulnerable:

malloc(): corrupted top size
Aborted (core dumped)

To understand the problem with sudo, we have to understand escape characters. It really boils down to spaces in file and folder names, and how to deal with them. You want to name your folder “My Stuff”? That’s fine, but how do you interact with that directory name on the command line, when spaces are the default delimiter between arguments? One option is to wrap it in quotation marks, but that gets old in a hurry. The Unix solution is to use the backslash character as an escape character. Hence you can refer to your fancy folder as My\ Stuff. The shell sees the escape character, and knows to interpret the space as part of the folder name, rather than an argument separator. Escape characters are a common vulnerability location, as there are plenty of edge cases. Continue reading “This Week In Security: Sudo, Database Breaches, And Ransomware”

Linux Fu: Counter Rotate Keys!

If you’ve done anything with a modern Linux system — including most variants for the Raspberry Pi — you probably know about sudo. This typically allows an authorized user to elevate themselves to superuser status to do things.

However, there is a problem. If you have sudo access, you can do anything — at least, anything the sudoers file allows you to do. But what about extremely critical operations? We’ve all seen the movies where launching the nuclear missile requires two keys counter-rotated at the same time and third firing key. Is there an equivalent for Linux systems?

It isn’t exactly a counter-rotating key, but the sudo_pair project — a prelease open-source project from Square — gives you something similar. The project is a plugin for sudo that allows you to have another user authorize a sudo request. Not only do they authorize it, but they get to see what is happening, and even abort it if something bad is happening.

Continue reading “Linux Fu: Counter Rotate Keys!”

Interview: Inventing The Unix “sudo” Command

It was just one of these nights. We were sitting at the O’Neil’s San Mateo Pub, taking a break after a long day at the Maker Faire. Hackaday was hosting an informal drink-up and a steady stream of colorful characters has just started flowing in. That’s when we met [Robert Coggeshall].

XKCD comic #149
[xkcd, 149]
It started off as a normal discussion – he runs Small Batch Assembly and does a lot of interesting things in the maker space. Then he brought up a fascinating detail – “Oh, did you know I also co-invented sudo back in the 80’s?”

If you ever did as much as touch a Unix system, you’ll know this is a big deal. What came as an even bigger surprise was that something like sudo had to be “invented” in the first place. When thinking about the base Unix toolkit, there is always this feeling that it all emerged from some primordial soup of ideas deep inside of Bell Labs, brought to life by the infinite wisdom of [Ken Thompson] and the rest of the gang. Turns out that wasn’t always the case. We couldn’t miss asking [Bob] for an interview, and he told us how it all came about…

Continue reading “Interview: Inventing The Unix “sudo” Command”

Rotary Dial Authenticates Sudo Commands

[W1ndman] won’t win any security awards for this build, but it’s an interesting idea. On many Linux-based systems commands can be run with administrator privileges by prefacing them with the keyword ‘sudo’. Normally you’d be asked for a password but [W1ndman] used the Pluggable Authentication Modules (PAM) to authenticate via his own shell script. That script checks a code from this rotary dial for authentication. An Arduino takes care of listening for each digit that is entered and then sends the code via USB for comparison with a stored file. We’re not sure if that stored code is in a plain file or is otherwise protected, but at the very least this prevents you from using ‘sudo’ willy-nilly.