Sudo with NOPASSWD: How bad is it?

I have mentioned in another thread that I am using sudo with NOPASSWD and that I sometimes even run GUI apps like gparted, gedit or filemanager as root. This is the thread:

I do not want to hijack that thread. Thats why I start a new thread here.

Here is my take on this topic. Please reply with your opinion.

My PC has only one user account. All other accounts are system accounts like root, etc. For convenience I use NOPASSWD with sudo to make my life easy. I do not believe that this imposes an extra risk for my data.

If a hacker gets access to my user account, all my data is available right away: my emails, my pictures, my documents, my ssh keys for remote access, etc. This is already a worst case scenario. It can not get worse. If the hacker gets root access to this PC with my NOPASSWD sudo setting, he can eventually kill my PC, remove the operating system etc. but not more. My data was lost already before the hacker used sudo to get root access. Why should I not use NOPASSWD? It does not make things worse for me.

The second topic is about running GUI programs with sudo. What is wrong about using a graphical file manager like dolphin or nautilus with root if it is convenient for a certain task? What is wrong with using a graphical editor instead of vi or nano when editing a file as root? I don’t understand the security implications. What I have read so far are more academic resp. theoretical issue with GUI programs as root.

What is your take on this?

1 Like

You have basically imitated the security model for Microsoft Windows, the keys to the kingdom.
You can do better, but it’s less ‘convenient’. In your use case, your account is root (essentially) and there is very little further privilege even w/o sudo. So, no, it’s not any worse.
Have you ever looked at how many linked libraries a typical GUI program uses, and you trust them all? CLI commands usually have far less dependencies.

1 Like

What do you mean with trust the libraries? What kind of trust do I need to give the gtk libraries? And by the way, when I start gparted without sudo it uses pexec to get root access. So it is totally normal for gparted to use all these libraries with root privileges.

I mean by running them as root you are trusting (potentially) every function in every library to do no ill, whether incompetency in programming or actual evil. Both occur.

1 Like

As for nopasswd, you have to consider your own risk profile.

That being said, what it fundamentally does is makes user access the same as root access. A bad actor getting access to your user data is very, very bad but getting root access is worse. With root access, they can easily install a rootkit providing them with long-term access even if you closed the access to account.

As for running GUI programs with sudo the answer is, “it depends”. If the program was made to be run as root, it is not a huge deal. However, the vast majority of GUI tools are not made to be run as root and running them as root can have all kinds of risks and side effects. This is even more true when run via sudo where it has a mix of the user environment and the root environment.

IMO, a GUI running as root should minimally meet the following criteria:

  • It should not read data from the internet
  • It should not open any ports
  • It should not write any data to the home directory

So running gparted as root shouldn’t be a huge deal.

In your specific example, I don’t see a good reason to run nautilus or dolphin as root. They both support admin:// which safely elevates to give full access to the filesystem as root. In this case, the GUI itself is not running as root, but you are accessing the files as root.

5 Likes

You raise an excellent point, Dalto. A rootkit and/or malware may make your pc the vector of a botnet creating havoc around the world. Infecting other machines with trojans, generating denial-of-service attacks, etc.

2 Likes

I am a single user case and I have sudo set normally. I don’t mind putting in my password to run a root command. This helps me to insure that even if I did get hacked the ‘Hacker’ would have minimal access. I also live alone but I live in Rural America so the closet trip to town is a 10 minute drive. (Yeah I’m not way out there but out there).

Each person has a very unique case. My opinion is that if it is something that is going to be ‘Always Connected’ then I want to have the extra safeguard rather I actually need it or not. But my life experiences have taught me its always best to play safe now than sorry later.

3 Likes

IMHO getting access to all the data is not the only worse case scenario. The other scenarios that are more dangerous are as follows

  1. Identity theft to carry out Financial crimes or other crimes.
  2. Making the computer part of a bigger botnet which can be used for Cryto mininig, DDoS, and other nefarious attacks. For example the computer might be used to hack into some other servers or disable utility systems. Or used to spread malware/ransomware. Or used as a command and control server. Or relay server for malware/ransomware/etc. In case of Crypto mining or block chain attack the price of electricity is paid by you.
  3. Loss of reputation, Financial loss and Blackmail.

I am not saying that running GUI applications with sudo is good or bad. The issue is the damage that can be done or damage can be done by a hacker. Recently I damaged a file that was being used by pacman and yay. That happened because I had run a GUI application with elevated privileges. These types of damages could turn out to be fatal. So in a nutshell using sudo to run GUI is fine as long as appropriate care is taken and the user is aware of what he or she is doing.

Further I agree running graphical editor, kedit/gedit/kate/notepad++ beats hands down running vi/nano in a terminal. There is a reason after all DE and WM exist.

This cannot be achieved by sudo maybe with run0. Or we only use applications which do not have the above mentioned 3 attributes with sudo.

Can you please explain more in details about admin://. I know that the yay command uses the sudo command internally. But I am not aware of nautilus or dolphin using admin://. Would he helpfull.

3 Likes

Yes, this is my point. If a GUI application doesn’t do those 3 things, you shouldn’t run it as root.

You can put it in the address bar. Try it with dolphin and you will see.

This is not related to sudo. Access to your user account is sufficient.

Same thing. A malware as part of a botnet does not need to run as root. It can be easily implemented for a regular user and then attack remote servers.

That’s true, but for many attacks (if not most?) the first thing is to try to get root access, because it brings many more advantages for hiding and masquerading as services on privileged ports.

1 Like

Actually it is. If the attacker is not aware of the root password, or it is complex enough with sufficient strength then having a user which has the ability to do sudo without password really helps.

It does. Running as root helps.

Yep it does. Most malware seek elevated privileges. Because it makes life so much easier for them. They also can setup persistence so that they can reinfect the system if required, hide their tracks of infection, setup nice values, etc.

This is true for Windows, Mac OS X, Linux and other OS too.

It is my understanding that ransomware attacks are not using root accounts but user accounts. I believe the same is true for most botnet agents.

Also, hackers most likely will not use sudo because sudo access is logged in the journal. And modern intrusion detection systems review those entries.

E.g.:

Mär 21 11:39:21 rakete sudo[9287]: matthias : TTY=pts/0 ; PWD=/home/matthias ; USER=root ; COMMAND=/usr/bin/pacman --sync -y -u --

Once you get root, there’s nothing stopping you from cleaning/filtering the logs (or anything else).

1 Like

As well as Thunar. Maybe other FM’s out there that support the admin:// protocol. (You can also set up thunar to give a right click a file and access it with root.)

1 Like

True but doing so could get one caught quicker especially if someone is constantly monitoring their logs. (Not by seeing what user did but by noticing chunks of log missing.)

1 Like

systemd uses “Forward Secure Sealing” to make this really difficult:

How frequently do you inspect your logs? I know I don’t too often unless I’m actually looking for something and more than 1/2 the time I grep for things.

1 Like