My most recent mini-adventure with sudo was on the Steam Deck; with OS updates, everything (or at least most?) of what's outside of your home directory is replaced. (In fact, you have to manually opt into being able to write to those directories at all, e.g. to use the system package manager instead of flatpak, by running `sudo steamos-readonly disable`). There are a couple sudo settings I change from the defaults, and because `/etc/sudoers and `/etc/sudoers.d/` (as in the entire directory) were restored to the base versions, my custom settings don't get preserved when updates occur. However, I was surprised to find out that using `visudo` to try to update the settings wasn't actually causing the settings I changed to take effect, which I eventually tracked down to some extra configs getting shipped by the base system in `/etc/sudoers.d`. I looked up what the precedence rules are for sudo rules, and apparently the rule is that anything in `/etc/sudoers.d/` will override `/etc/sudoers`, and the files in `/etc/sudoers.d/` are evaluated in lexigraphical order.
That's how I got where I am today, with a file called `zzz` that I copy into `/etc/sudoers.d/` every time there's a system update.
There's probably a way you can just set it and forget it with overlayfs.
OpenWRT solved the problem of updates via immutable firmware image flashing while maintaining customizations 15 years ago using it.
You don't need to elevate privileges if you give things the right privileges from the start.
Sudo is just a hack to avoid setting up proper capabilities / permissions in the first place.
I am the owner and only user of the computer. Does that mean I should run everything with root? Of course not. It’s simply better to start with little privileges and then elevate when needed. Using any additional privileges should be an intentional act. I also do it the other way: reduce my privileges via sudo -u nobody.
No, you should run every program with only the privileges it needs. The very concept of running your programs with all your privileges as a user by default is wrong-headed to begin with. To strain the "user" model you should have a distinct "user" for every single program which has only the resources and privileges needed by/allocated to that program. The actual user can allocate their resources to these "users" as needed. This is a fairly primitive version of the idea due to having to torture fundamentally incompatible insecure building blocks to fit, but points in the direction of the correct idea.
The root account shouldn't exist either. Having god accounts is a bad idea security wise. Instead everything should follow the principle of least privilege.
The problem is how do you set up those permissions without a god object? How do you fix ones that are broken on a running system?
Ultimately the security systems that introduce high complexity in the name of fine grain permission controls end up being the most fragile and hardest to verify. People get stuff wrong then break it further trying to get their job done. The better system is sometimes the one that doesn’t have all of the features but is comprehensible to humans.
>how do you set up those permissions without a god object
Let the operating system define default granted permissions for OS apps.
Have the OS let the user grant permissions at install / runtime for apps.
If an app requires a permission, how does OS know that it's OK to grant it? For example, I want to backup my system, so I install app which needs a permission called "bypass any file access control and let me read every file". How does OS know it's legitimate and not malware trying to steal data?
It could be "this requires special digital signature from OS manufacturer" -> then the private key of this digital signature is a "god object"
It could be "this requires confirmation from the physically present user" -> then you basically have passwordless sudo
It could be "this requires users pin/password/biometrics" -> then you have regular sudo
Either way, there is some source of authority in here, even if it's called "root key" or "user pin" instead of "root account".
>then the private key of this digital signature is a "god object"
You could instead require the app to be part of the OS. The next gotcha would from you I imagine is that the build farm for the next OS update is a god object and at that point I think this is a meaningless tangent. I'll concede and say you have to trust your OS creator. But you always have to trust your OS creator for any OS.
>then you basically have passwordless sudo
If sudo couldn't be used from other programs / she'll scripts and doesn't give access to a god account, but instead did simple things like let you use ping, then that seems fine to me. But why require people to manually wrap programs when it could be handled automatically.
>Either way, there is some source of authority in here
Sure, but it's a system that's much better than sudo.
> Letting the operating system define granted permission for OS apps.
We're heading that direction right now, and it will be the OS vendors who decide what programs you have permissions to run and which ones you can't.
That's a concept that HN seems to detest.
Selinux and AppArmor?
Android has it figured out too.
Have you ever tried to fix an application that was getting denied based on SELinux policies? It's a cryptic nightmare. You run a tool that gives you some magic string and hope that it works because nobody really understands what's going on. If that doesn't work you're in a world of pain. Almost as bad as Microsoft's ACLs.
If you have a privilege to replace the kernel or bootloader, you effectively have all privileges on that system. Therefore, there's no need to complicate the access limitations when you get full access anyway.
I own the computer. The least privilege I have encompasses every privilege.
You could own a microwave, but there doesn't have to be a button that makes it run with the door open. The UI of devices doesn't let just anything happen. Similarly an operating system doesn't need to make accessible a way to do everything to the user.
I instinctually agree with nkrisc, but this is an interesting line of thought.
What's an example of something that nobody should be allowed to do e.g. on a laptop? If I buy a system with OS stuff set up from the get-go. What abilities do you withdraw from the user?
>What's an example of something that nobody should be allowed to do e.g. on a laptop?
Clearing required efi variables, bricking the motherboard.
"an operating system doesn't need to make accessible a way to do everything to the user"
Microsoft and Apple both seem to think this way. Questionable results.
> You could own a microwave, but there doesn't have to be a button that makes it run with the door open. The UI of devices doesn't let just anything happen.
And where is the UI capability that prevents microwave users from putting liquids (e.g. grape juice) that generate plasma storms inside the microwave and often result in fires? Or, as a bonus, crinkled foil.
To state the matter bluntly – the entire diatribe concerning the system’s role in defining capabilities is as constructive as insisting that every computing device and appliance on the planet must implement B2-level RBAC and capability-based controls – an argument so unmoored from practical reality that one wonders whether its proponent has ever been burdened by implementation.
The UI is missing because the law doesn't require it. That's why it's possible to by tablesaws without a SawStop like safety mechanism despite it being superior to have (ignoring price). Some people will choose the cheaper and less safe option because they don't value safety as much.
You should read over NIST 800-53 AC-2 and AC-6. They go over why privileged accounts are important, why they are used, and how they protect users and organizations.
JIT access should be the goal.
Scroll down to: Implementation Guidance
https://csf.tools/reference/cloud-controls-matrix/v4-0/iam/i...
>JIT access should be the goal.
Individual privileges for specific things should be given access to instead of giving god access to a system.
I hear what you are saying but many, many people who have dedicated their life to this topic disagree with you. Onions have layers for a reason.
RBAC by nature requires a Creator. ZeroTrust networks still require gateways.
This sounds good in theory, but in practice it doesn't work. You always end up with an object that has all the privileges.
Which is a well known anti-pattern. https://en.wikipedia.org/wiki/God_object
Every time somebody wants to do something in Linux and they mention Objects, I turn around and go the other way.
These people still do not understand why that userspace became so powerful and so useful.
I also think that's the "solution", which is to craft a new optional userspace experience that leaves traditional unix strings and pipes alone. It's not for me, but I'm sure many would like it. I mean, look at PowerShell on Linux :/
That's functionally equivalent to using sudo but only allowing a certain shell script that's a wrapper for what needs to be done by a given user (to avoid the whole syntax mess). But somehow with more boilerplate.
What's missing in this writeup is if/how capsudod can be configured to drop/acquire capabilities (in the capabilities(7) sense, in a namespace sense, or using openbsd's pledge(2)) before executing the command. From looking at the code it seems to rely on filesystem permissions to access the capsudod socket; when in order to make mounting USB drives actually safe via this kind of permission proxying method, you'd want to only give it very limited access to operations, like only the ability to make the mount(2) syscall. I generally agree, this is sudo in a different format and with a daemon; perhaps that's better. And it's written in C, which doesn't speak to avoiding the classic C-related privilege escalation risks (although this is a small amount of code compared to sudo).
If I'm a user who's been given access to run such a wrapper script via sudo, how do I further delegate that access?