Why do you need to enter a password in sudo?

If a

This is a personal work environment. ^one
You're not paranoid enough to get things done:
- All programs run from your user. ²
- / home is mounted without noexec. Although it almost does not help and is not very convenient in most cases, but if you have it, you have the prospect of going far in this way, like a good paranoid.
You regularly administer the system from under your user (using the same sudo). ³

Work environment

The work environment is the potential source of infection that we want to isolate from the rest of the system. In addition to protecting against targeted evil, lowering privileges in it (what is called “do not work as root”) saves from cruel mistakes and poorly written programs that root may not forgive.

Actually, not asking a password, sudo does not interfere with typo protection (unless, of course, you don’t have an unpleasant reflex to immediately reprint this unworked structure with sudo), software is also not usually accustomed to using sudo on its own, so the only thing that “clarifying” the password helps - malicious viruses and intruders, aiming to set your entire system on your knees.

Once again about isolation

Isolating the user shell (the place where you enter sudo, and then your password into it) from the user himself - the place where the infection lives - is a non-trivial task and, moreover, is not the easiest in the form in which it is delivered. A much simpler way is to launch potentially unreliable programs, such as a browser, and for especially paranoids, a client's torrent and even an office suite — any programs that work with external data — in a separate environment (as an individual user and / or even in chroot). But most of the readers, probably, were not interested in such rather expensive constructions.

If you go the hard way

You can separate the configuration and launch of the shell from the user: set the restraining rights on the .bashrc and on the config of the application from which you run bash and then linearly recursively to the window manager (non-inclusive).
')
Actually, a complex, but non-exhaustive system. Although, perhaps, it will repel a not-so-persistent attacker :)

And what, without isolation it is impossible?

It is enough for an attacker to write in sudo alias on .bashrc and you will blindly enter your ht7Qxfc8 almost directly into irc of some unfriendly comrade, although I have not heard cases of automated use of such tools, but the automation of this approach has even greater prospects than attempts to use sudo without a password, as it is suitable for the user of the most popular distribution .

It's time to stop entering the password

In general, it’s time to either move to a new level of paranoia (beyond the scope of this article), or stop being afraid of the working environment and agree that obtaining privileges in it is equivalent to obtaining root privileges in the system. And change the config.

what to change

somewhere deep in the config

Let me remind you that sudo checks only the authenticity of the source user, that is, regardless of the availability of NOPASSWD :, users from the specification have an unconditional right to the described elevation of privileges.

It was
%wheel ALL=(ALL) ALL

has become
%wheel ALL=(ALL) NOPASSWD: ALL

% wheel - a group of users who are granted this right.

The type of record can vary greatly, the most important thing is the place for NOPASSWD: it is before the last ALL on the line of interest. (either this way or you probably already know where it is :)

You can also try to edit this config to use the recommended visudo , which, among other things, is subjected to a preliminary syntax check.

Important exception to the rule

There is a person behind you who wants to check this perl script .
This person knows a joke about sudo make sandwich .
In spite of the previous two points, you leave the workplace without leaving the lock screen.

Source: https://habr.com/ru/post/209540/

All Articles