0

For Example

Is it safer to do:

  1. $ sudo [cmd] [args] [enter user password]

or

  1. $ su - [enter root password]
# [cmd] [args]

I always assumed they are the exact same thing, because sudo utilizes setuid-root, so the process that is run as sudo's first arg is run with the sudo's effective ID, which is root.

my question is: Does sudo ever eventually drops its effective ID to the normal user's? Then in that case, number 1 above would be a safer bet, because IF the program/service that sudo is running with is compromised by an attacker, then there is a chance that the attacker is not running as root, because the privilege has already been dropped (kind of like a race condition)? But compare to the number 2, then any program compromised while running as root is detrimental.

0x5929
  • 335
  • 4
  • 13

3 Answers3

1

TL;DR: No.

Sudo is its own program (and as you note, it's setuid root) and it launches another program. The launched program inherits the UIDs, GIDs, etc. that sudo had at the time the launched program starts, but after that they are separate processes with their own PIDs and own UIDs/GIDs, and a change to one process' ID will have no impact on the other.

sudo [cmd] [args] starts a program (e.g. /bin/sudo), which runs as root and reads the sudoers file (/etc/sudoers) to determine what the current user (the one who invoked sudo, the "real" UID) is authorized to do. In typical user cases, the user will be authorized to perform the command only if they authenticate (either with their own password, or another); sudo will then prompt for, and validate, credentials. Once an authorized user is authenticated, sudo will fork (or similar call) to create a child process (with a new PID but the same permissions including UIDs and GIDs), and the child will launch the specified program (or script) with the specified arguments via the execve system call, which replaces the current process with the specified one but maintains its IDs.

No matter how long the new command - or indeed, the sudo command that spawns it - runs, it will not change its access or IDs as a matter of anything sudo does. It might edit its IDs on its own, if it's programmed to do so, but sudo is not (not once the new command starts; it might be able to do so in response to an argument or something in the sudoers file, before starting the new process?).

CBHacking
  • 40,303
  • 3
  • 74
  • 98
0

As far as I know, starting a service with sudo will run the service with root rights. These will not be dropped during the lifetime of the service.

However, if you use su root you switch to root user and every command you issue will be executed as root. This is something you should be aware of and not start other services which do not require root privileges. In that sense it might be 'safer' to use sudo. But that is more a user/administrator risk.

roy.stultiens
  • 138
  • 8
  • Well one can Su root, do what they need to do, and then exit root, but yeah. Are there any documentations that point to your answer? I’m not having any luck with that right now. – 0x5929 Apr 11 '20 at 09:31
0

You may want to take a look at the 'djb way'. You can use this method to start your process as root (for instance, to bind the service to a low-numbered port) then it will hand control of the process to the user you specify (e.g. a lower-privilege user) immediately after the process starts.

For more info, see: http://thedjbway.b0llix.net/daemontools/uidgid.html

mti2935
  • 19,868
  • 2
  • 45
  • 64