Sudo-rs' first security audit(ferrous-systems.com) |
Sudo-rs' first security audit(ferrous-systems.com) |
What a ridiculous finding.
I can try to steelman the argument. Sure, maybe "reverse engineering of the binary" is useless most of the time for an open source project because you can just look at the source code. But if there were hypothetically a memory corruption vulnerability in sudo-rs, then an attacker would want to identify the specific machine code corresponding to the vulnerable source, in order to determine how it could be exploited. That wouldn't be too hard to achieve without symbols, but symbols would definitely make it easier.
Except… even if the binary has symbols stripped, you can just `apt install sudo-rs-dbgsym`, or use debuginfod, to get the full debug info including symbols and DWARF records. Because distros provide that for all their packages. As a feature. To assist debugging.
Even if distros didn't distribute debug symbols, today's security best practices include reproducible builds, which means you should be able to rebuild the package yourself and get the exact same binary, plus the symbols.
So while it might save a tiny bit of disk space to strip the symbols, the security benefit is absolutely nil.
…Well, in theory anyway. In practice, Debian's sudo-rs package seems to be missing both a dbgsym package and reproducible build info. But that's a bug!
The reported property does make the attacker's job slightly harder, after all, since they need to go and work out where the symbols are rather than just having them right there in front of them.
Well, that’s why binary randomization/fuzzing is an important security research topic. If everyone would be running semantically identical, but not binary-identical programs, a ROP-based vulnerability would not be able to spread across computers, or in absence of the correct binary on the target device, it would be infeasible.
Something like
apt-get download sudo-rs-dbgsym
mkdir -p ~/tmp/
dpkg -x sudo-rs-dbgsym.deb ~/tmp/
It seems like this was picked to end up with 3 vulnerabilities so the security researchers can feel they did a complete job.
OpenBSD's doas is 108 lines of C. sudo and doas are not equivalent in functionality, but it shows how simple things can really be.
https://github.com/openbsd/src/blob/master/distrib/special/d...
CLN-001: relative path traversal vulnerability (moderate)
During the audit, it came to light that the original sudo implementation was also affected by this issue, although with a lower security severity due to their use of the openat function.
It's almost as if changing to an entirely new programming language and ecosystem isn't enough to make a secure application, and that you still have to try hard to secure it, regardless of the language.
How interesting.
Has anyone argued that switching to Rust alone is sufficient to stop all security vulnerabilities?
Has anyone suggested that switching to Rust means you no longer need to do any work to write secure applications?
It seems to me you're arguing against a totally self-constructed straw-man.
The fabulous article mentions that, “sudo-rs only has 3 dependencies in its dependency graph” so maybe they could trade loc for deps but that doesn’t seem wise to me.
The audit found one moderate path traversal vulnerability which was also present in og sudo, so I’m not sure how your suggestion could be made practical.
All of it. Seriously. doas demonstrates that sudo's primary function (running commands as another user) can be achieved in an order of magnitude less code and a significantly smaller attack surface.
90% of people don't need more than that, they don't need all the bells and whistles that sudo offers. We aren't in the 90s running on mainframes anymore.
As an aside, doas and sudo are conceptually broken from a security POV because the user's shell can be played with to elevate privileges. The real fix is dump doas and sudo entirely.
The real question is, do you really need everything that sudo can do? Or would doas be sufficient?
On my FreeBSD servers, I install doas instead of sudo, and I have never once found myself missing any features in spite of having completely replaced sudo with doas on my FreeBSD servers.
Replaced as in, I no longer even have sudo installed on my FreeBSD servers. I switched from sudo to doas cold turkey years ago and haven’t looked back.
(On Linux I still use sudo, but that is simply because it comes pre-installed on the Linux distros I use so I haven’t bothered to install doas instead there.)
doas does exactly what I need; run the following command as root.
I more surprised an os would let you make a user with "../../" in the name though. I'd bet a heap of things would break. A while back I saw a guy name his windows desktop with an emoji and all sorts of software fell over.
Still just a tidy 1072 lines in that folder though.
I spent 5 minutes staring at your file trying to understand how on earth it does the things in the man page, but of course it doesn’t.
However, there are about six billion* things in existence right now that use sudo, so it’s a good idea to make sudo safer as well.
* rhetorical statistic
What is all the complexity? What is all the extra functionality that sudo offers?
The "Examples" section of the sudoers(5) man page is probably a good place to start to get an idea of the sorts of ways it can be configured
https://manpages.debian.org/bookworm/sudo/sudoers.5.en.html#...
Simple isn't always better.
I agree, but the goal of this particular project is to make sudo as safe as possible. Within the stated goal, I don’t think significant LOC reduction is a feasible side quest.
Evangelizing the removal of sudo entirely is an interesting thought but given how widely deployed it is, I see a ton of value in having a sudo-rs stopgap between now and then.
Could you elaborate on this?
This is a real security topic, don’t handwave it away without knowing about it.
ASLR is a real technique that can make targets harder to pop on the first try, giving you time to detect the problem. It does not prevent bugs from being exploited, at least not reliably and for long. This is not a real security topic, this is minor roadbumps, urban myth, and quackery.
You can, starting from essentially scratch, also create a vulnerability for a separate instance, but it literally stops the spreading of a same malware exploiting multiple computers. How is that not security, and just obscurity? Is this not a valid threat model?
Presumably all of it was written in languages built on old assumptions that a single character is one byte.
There may be protections at some levels, but eventually a username is just an entry in a database. Admittedly, you do have to be on the other side of the airtight hatchway to do it, but modifying a line in /etc/passwd to have the field before the first ":" be "../../" is something the os can't really do much about once it's there.
You got me curious so I checked arp -a which shows host name as a ?. Nmap also isn’t able to resolve the emoji name, neither is host, and I don’t think dns-sd either, though my mdns-fu is poor. I did test Terminal.app and I can echo an emoji so I’m guessing this is mostly a limitation of some of the ancient bsd utils that are packed with macos.
Thanks for the little rabbit hole!
A sort of workaround is that you can log in as the desired user from a TTY. Of course, this gets tricky if you don't have physical access or a remote serial connection. And you probably wouldn't want to log in as root over SSH. I don't have real solutions in mind but it's ticking over in my head. Might have some ideas later on.
Not that heavy a lift, at least as a default. AIUI Alpine switched to doas and moved sudo to the community repo, Arch supports both, Void supports both, and NixOS supports both. I wouldn't be surprised if there are more. Although, RHEL and SUSE would probably have a harder time because their customers are more likely to use sudo's long tail of features.
Not something "most users" would need - and probably handled in Pam, not sudo - but it's one thing that comes to mind.
It's a complex topic probably best suited for discussion elsewhere, but do we even need to discern that anymore? Statistically most Linux systems running now are single-seat (as in, one real user).
A big corp with thousands of servers and employees might want to know this stuff for audit logging, but if employees have root access, they can already fake everything at ring 3. Big corps use security software that do that stuff in ring 0.
The main usecase of sudo over su (or suid binaries) is limited access (clear/re-run the mail queue - not reconfigure the mail daemon)