← Back to context

Comment by TacticalCoder

10 hours ago

> this, this is something I don't understand there are a billion ways to gain root once you control the user that regulary uses sudo.

I won't enter into all the details but... It's totally possible to not have the sudo command (or similar) on a system at all and to have su with the setuid bit off.

On my main desktop there's no sudo command there are zero binaries with the setuid bit set.

The only way to get root involves an "out-of-band" access, from another computer, that is not on the regular network [1].

This setup as worked for me since years. And years. And I very rarely need to be root on my desktop. When I do, I just use my out-of-band connection (from a tiny laptop whose only purpose is to perform root operations on my desktop).

For example today: I logged in as root blocked the three modules with the "dirty page" mitigation suggested by the person who reported the exploit.

You're not faking sudo with a mocking-bird on my machine. You're not using "su" from a regular user account. No userns either (no "insmod", no nothing).

Note that it's still possible to have several non-root users logged in as once: but from one user account, you cannot log in as another. You can however switch to TTY2, TTY3, etc. and log in as another user. And the whole XKCD about "get local account, get everything of importance", ain't valid either in my case.

I'm not saying it's perfect but it's not as simple as "get a local shell, wait until user enters 'sudo', get root". No sudo, no su.

It's brutally simple.

And, the best of all, it's a fully usable desktop: I'm using such a setup since years (I've also got servers, including at home, with Proxmox and VMs etc., but that's another topic).

5 comments

TacticalCoder

Reply
theamk  8 hours ago

Do you install system-wide software at all? How do you configure it?

That's my main reason to use "sudo" on the desktop.

I suppose I could install every piece of software locally, either from source or via flatpak, but this is a lot of work and much harder than doing it the easy way and using global install via my distro. Plus, non-distro installs are much more likely to be out of date and contain vulnerabilities of their own.

himata4113  10 hours ago

nixos comes to mind, rootless runpod, qubesos.

but they all have something in common, the issue is that your user is compromised that means the applications running in that user are compromised the only thing you gain is that you can trust your system, you can trust that your system is not compromised which is only relevant with infrastructure since if your user is compromised you're already fucked, multi-user setups with untrusted accounts are inheritly insecure and in infrastrucure the blast radius might be thousands of users that use the said service.

the breakdown looks something like this:

  - you heavily compromise a single user <- exploit not relevant
  - you compromise a shared setup via a bad user to compromise a lot of users <- should never be used anymore, namespace isolation is the replacement
  - you somewhat compromise a lot of users via infra compromise <- where this hurts

q3k  10 hours ago

Yes, you are very special and smart. Good for you!

Most people however aren't and will happily run sudo after an npm postinstall script tells them to apt-install turboencabulator for their new frontend framework to function.

  • 1718627440  3 hours ago

    You really can't protect against a malicious sysadmin. Let them be bitten, maybe they will be smarter next time.