FC4 "sudo su -" breaks root's access to X server

[Jonathan Berry]

On 6/26/05, Michael A. Peters <mpeters at mac.com> wrote:
> On Sat, 2005-06-25 at 23:15 -0500, Jonathan Berry wrote:
> > Hi all,
> >
> > I've noticed that with FC4 if I use "sudo su -" to get a root shell
> > and try to open an X application (like a GUI text editor, for
> > instance) I get the error:
> > Xlib: connection to ":0.0" refused by server
> > Xlib: No protocol specified
> 
> I saw this mentioned elsewhere in context of pam_console and it seems to
> be a bug - but really, it is a BAD idea to allow sudo to do anything
> that can result in a root shell. Really bad idea. I know that is the
> default on OS X - but OS X has a lot of bad defaults (which why everyone
> except me has to fix permissions so often - I never log into OS X as an
> admin and thus permissions never get screwed up)

Hi Michael,

Okay, well a bug would explain the difference in behavior.  Yeah, I
almost placed a disclaimer about knowing the security risks.  I only
have one user, me, and I trust myself fairly well.  The problem is,
looking at "man sudo" there are all kinds of gotchas that could allow
someone who really wanted to to get a root shell by various means
other than just "sudo su -"  So to give me this security and still be
able to use sudo for general admin purposes (access to most admin
programs) would take too much effort for the little bit of security
gained.

> sudo is to allow certain users to be able to run certain tasks that they
> otherwise would not have sufficient privilege to run. It should ONLY be
> used for users who should not have the root password, but for which
> other authentication mechanisms (such as pam and/or suid) are not proper
> ways to give them access to something they need to do (IE a shell script
> that needs permission to mount an iso image over loopback, or a junior
> admin who needs permission to restart apache)

You can configure sudo to run in several different ways.  In some
ways, it is not really any different from su, except that sudo has
logging capability, so you have an audit trail to see what commands
have been run with sudo.  Of course, if someone gets a root shell,
then they could edit that audit trail so that everything they do is
hidden.  There are always loopholes in security.  One must pick the
battles that are worth being paranoid over :).

The reason I am using sudo is for convenience.  I set it up with the
NOPASSWD option, which is not great for security, but as I said, this
is a personal, single user box.  I like having full control of my box,
but I don't want to log in as root as I do recognize the security
risks associated with that as being sever enough to warrent concern.

> The problem with sudo is that if sudo is configured to allow a user to
> spawn a shell, then the root account is no more secure than that users
> password.

Honestly, my user's password is probably better than root's at the
moment ; ).  I like to have long passwords (> 20 chars, with all
types).  It's just nice to only type that in once to log in and then
be able to do whatever with sudo.

> If you want to run a single command as root and you have root access,
> you can do so via
> 
> su --command="command to run"

This is the kind of thing sudo was made for.  I do use it this way for
some stuff, but if I need to do severl commands involving admin stuff,
I'll usually just open up a root shell.

> If you need a root shell, use su - (or just plane su if you don't need
> to get roots environment)

I could do that and just have to type root's password once to get a
shell.  That may be my best option.  What I do is have a
gnome-terminal profile called root that runs "sudo su -" so I can have
a root shell in a tab with a red background that reminds me to "be
careful" :).  The sudo just allows me to skip the password.

> It is a bad idea to use sudo to become root. Even on OS X - which seems
> to be what made the notion of doing that popular.

Again, using sudo is a matter of convenience for me.  I see the
benefits of not having to type root's password each time I want to be
root outweigh any possible security risks, which seem minor
considering my long password, the fact that there is only one user on
the box, and there is a hardware firewall between the Internet and it.
 I think the one user password is enough protection here.  In another
environment, I would mostly agree with your comments :).

I don't know about OS X (ahh, okay, just noticed your email address :)
), but I have installed Ubuntu to see what it is like and it uses sudo
exclusively.  Only users in a special admin group have access and have
to type *their* password to use sudo or the similar X helper stuff for
GUI admin tools.  root is locked out and cannot login.  It's a
different security model and is interesting.  There are certainly pros
and cons of both approches (sudo with user password or su - with root
password).

Jonathan