2

If I get hit with malware while performing daily tasks (e.g. - checking email, web browsing, etc.) with a root shell, the malware will own my machine.

If the aforementioned occurs whilst on a standard account with the ability to run sudo, the malware will be limited to whatever privileges this account has without sudo.

What if the malware had the ability to log keystrokes? Would it not just capture the password the next time I elevate my privileges with sudo, thereby, gaining the ability to become root? Do I have this wrong? If not, I think it would be safer to create another standard account without the ability to use 'sudo' and use that for my daily tasks. Is this common?

OTM
  • 43
  • 4

1 Answers1

4

You definitely have the right idea. The thing is, sudo isn't really meant to protect you in what is essentially a single-user environment. When I say "single-user", I don't mean that Linux doesn't understand the concept of different users, because you certainly have more than a dozen different users on your machine right now; I mean you are most likely the only real person using your machine.

Home vs. Enterprise Environments

In what I call a "home" environment, a machine either only has one person using it, or possibly a couple (think "family computer), but splitting people into users is more a convenience thing. Dad, who uses the machine for work primarily, doesn't want to be bothered by countless games being installed on the machine. Likewise, the son doesn't care about all the work documents, he just wants to play games.

In an enterprise environment, it's very likely that some server has hundreds of user accounts registered, all with different roles and permission. This is the environment sudo was created for. You don't want to give everyone permission to execute everything as root, so just using su is a bad idea. Perhaps you want Alice to be able to do that, but Bob is only allowed to run /sbin/mcguffin as root via sudo. All of this can be set up via the /etc/sudoers file.

Privilege Escalation of Malware

There are several ways malware can escalate its privileges. For example, if you've recently used sudo, and then invoke it again, you will see that it won't ask you for your password. This is because sudo can be configured (and on many systems, this is enabled by default) to use "tickets", which essentially enables you to use sudo without typing your password for a short period of time. If you currently have a valid ticket, then malware can simply use this ticket to perform a task as root and there is not much you can do about it.

Another possibility, as you correctly recognized, is monitoring keystrokes. While I am not 100% sure if a compromised browser would allow you to monitor keystrokes in general, there is a different option: Modifying the user's shell environment to run a wrapper around sudo. Essentially, when the user tries to use sudo, they actually run the script provided by the malware, which logs the password and then uses it to run sudo on behalf of the user. To the user, this process is transparent (unless they set up /etc/sudoers to use the NOPASSWD directive, in which case the malware doesn't need passwords in the first place).

In essence, as a single user, you don't really get any protection from sudo.

Possible Mitigations

One possible way to mitigate this is to create a separate user account, which does not have sudo privileges. Depending on your workflow, you may even simply automate all tasks which require administrative privileges, such as installing system updates. However, if you frequently have to switch between a privileged and non-privileged account, it may be possible for malware to get the credentials to the privileged account, which renders this approach only marginally better.

  • Thank you for the insightful reply. Your point regarding sudo being particularly geared for multi user environments makes a lot of sense as it establishes accountability and provides a means for the granular assignment of privileges that can be exercised with sudo per user/group. It seems as if browsing the web with a Linux machine might be safer when compared to using a windows machine due to less exploits being available for the latter OS. I'm hard pressed whether I should use Windows with DAG + AV or Linux for my daily tasks. I prefer Linux but if the former is safer, so be it. – OTM Aug 11 '21 at 13:26
  • @OTM Generally, web attacks usually focus on web targets (user accounts, etc...). Attacks against browsers leading to remote code executions are less likely, and may affect all operating systems. Saying "This OS is more secure than that OS" isn't really meaningful. –  Aug 11 '21 at 14:09
  • "latter" should be "former" in my last comment. – OTM Aug 11 '21 at 14:14