Its a concept called defense in depth. Without root login now you require the key AND sudo password.
Also, outside of self hosted you will have multiple people logging in. You want them to log in with their own users for logging and permission management.
How did the attacker gain your user’s privileges? Malware-infected user installation? A vulnerability in genuine software running as your user? In most scenarios these things only become worse when running as root instead.
The scenario OC stated is that if the attacker has access to the user on the server then the attacker would still need the sudo password in order to get root privileges, contrary to direct root login where the attack has direct access to root privileges.
So, now i am looking into this scenario where the attack is on the server with the user privileges: the attacker now modifies for example the bashrc to alias sudo to extract the password once the user runs sudo.
So the sudo password does not have any meaningful protection, other then maybe adding a time variable which is when the user accesses the server and runs sudo
And what do you suggest to use otherwise to maintain a server? I am not aware of a solution that would help here? As an attacker you could easily alias any command or even start a modified shell that logs ever keystroke and simulates the default bash/zsh or whatever.
If your account is compromised, the shell init code could be modified to install a keylogger to discover the root password. That’s correct.
Still, that capture doesn’t happen instantly. On a personal server, it could be months until the owner logs in next. On a corporate machines, there may be daily scans for signs of intrusion, malware, etc. Either way, the attacker has been slowed down and there is a chance they won’t succeed in a timeframe that’s useful to them.
It’s perhaps like a locking a bike: with right tool and enough time, a thief can steal the bike. Sometimes slowing them down sufficiently is enough to win.
Its a concept called defense in depth. Without root login now you require the key AND sudo password.
Also, outside of self hosted you will have multiple people logging in. You want them to log in with their own users for logging and permission management.
Doesn’t even have to be the key necessarily. Could get in via some exploit first. Either way taking over the machine became a 2-step process.
you would need 2 different exploits for 2 different types of attack though.
its always good to have an extra layer of “oh shit i need another exploit”. unless your threat modelling includes nation-states, that is.
At which point you should have a handful of extra layers
The sudo password can be easily extracted by modifying the bashrc.
And who is going to edit your .bashrc?
The attacker that is currently with user privileges on the server?
How did the attacker gain your user’s privileges? Malware-infected user installation? A vulnerability in genuine software running as your user? In most scenarios these things only become worse when running as root instead.
The scenario OC stated is that if the attacker has access to the user on the server then the attacker would still need the sudo password in order to get root privileges, contrary to direct root login where the attack has direct access to root privileges.
So, now i am looking into this scenario where the attack is on the server with the user privileges: the attacker now modifies for example the bashrc to alias sudo to extract the password once the user runs sudo.
So the sudo password does not have any meaningful protection, other then maybe adding a time variable which is when the user accesses the server and runs sudo
Simple solution is to not use sudo.
Sorta like Slackware’s default.
Nah just set up PAM to use TOTP or a third party MFA service to send a push to your phone for sudo privs.
…and if you don’t have your phone attached to your hand…?
And what do you suggest to use otherwise to maintain a server? I am not aware of a solution that would help here? As an attacker you could easily alias any command or even start a modified shell that logs ever keystroke and simulates the default bash/zsh or whatever.
$ su -
Oh that’s dastardly
that’s why root owns my .bash* stuff
I don’t think that actually works; the attacker could just remove .bashrc and create a new file with the same name.
If the .bashrc is immutable, the attacker can’t remove it.
That’s how it works.
The home directory would need to be immutable, not bashrc.
?
It’s .bashrc, not bashrc, and .bashrc is in the home directory.
If .bashrc is immutable, it can’t be removed from home.
you’re right. that’s something i wanted to look into. guess setfacl would do the trick?
“chattr +i” is what I use to make things immutable
thanks
This was downvoted, but is a good question.
If your account is compromised, the shell init code could be modified to install a keylogger to discover the root password. That’s correct.
Still, that capture doesn’t happen instantly. On a personal server, it could be months until the owner logs in next. On a corporate machines, there may be daily scans for signs of intrusion, malware, etc. Either way, the attacker has been slowed down and there is a chance they won’t succeed in a timeframe that’s useful to them.
It’s perhaps like a locking a bike: with right tool and enough time, a thief can steal the bike. Sometimes slowing them down sufficiently is enough to win.
@ShortN0te @truthfultemporarily What does sudo have to do with ssh keys?