There is no real protection.
Password protected access to sudo harks back to an era before complex shell environments with commands executed by shims. Once the password has been submitted, there's a window of opportunity in which a shim can execute commands via sudo, without any notification, and with full system control.
If I was intent on access, I'd create a useful shim for bash and zsh and fish, etc. I'd monitor the commands executed. Shortly after a sudo has returned with a status of zero, I'd start issuing "sudo chmod +s /bin/sh" or other nastinesses.
The moment that sudo has been given a satisfactory password, and you have shells that run commands to get a prompt, you're potentially in trouble. There is no protection, other than optimism.
Other answers have focused on protecting the password. As an aggressor, I wouldn't worry about that. I'd focus on the duration after the password has been given, when a password is not needed. That's the most risky time, when the attacker needs to do least to compromise the system completely.
Protecting from it? You'd have to protect your RC files. Inspect any shims or other commands used in command line prompts. Look for co-processes connected to the shell and tools used to maintain the shell environment. Main defences would be host intrusion tools, but that's after-the-fact. Preventing attacks? Only using simple shells without complex automated configuration and active prompts - that's the environment for which sudo was developed.
I used to play games with other devs (1980's) where we'd try to write stuff that would get the terminal that the other dev was using, to insert commands - this is essentially the same problem. And we've made it much easier to embed tools that would do command insertion with no visible trace. :)
For an example of the kind of thing I'm looking for, see my answer. I'm hoping someone can elaborate on some of the security risks raised there (or any others they can think of), and provide ways of mitigating them.
– Zaz – 2014-08-13T13:23:02.383You ask for something like UAC or a secure attention sequence in Windows. Unixy systems don't have that. The way to go for (would be) admins is not to use their accounts for silly things. A couple of things you mention in your own answer can be guarded against with role based and mandatory access control systems such as SELinux or Grsecurity. There you can establish policies that non-root writable binaries cannot be executed, so no trojans at that level. Btw, if you don't trust X, then don't trust the system at all, for X runs with superuser privileges. – countermode – 2014-08-15T21:36:25.010
Thanks, I'd looked into SELinux, but it seems to be designed more for big installations, requiring a lot of time for the administration and setup; I was hoping for something a bit simpler. I'm a developer, so strict policies regarding running programs is not really an option either. – Zaz – 2014-08-15T21:49:20.137
"X runs with superuser privileges" — What? On a default install of X,
startx
works just fine as a normal user. In fact, I'm running X as a normal user right now. – Zaz – 2014-08-15T21:51:56.810Yes the learnig curve is steep. Have a look at Grsecurity, it is simpler but yet powerful. ~ Privileges of X: on my box the X server is SUID root and runs a root. – countermode – 2014-08-15T22:45:00.357