This is still the header! Main site

On Passwordless Sudo

2024/06/08

sudo is obviously kinda important for Linux users. You're asked for your password & you get to run commands as root; you then don't even get asked for your password for a while. There is... not much to it.

You can also get it to not even ask you for your password. Which is... less secure, right? Since even if someone somehow hacks their way to a shell prompt to your machine, they can't gain root access since they still don't know your password!

Do we actually need the password?

It all depends on your threat model.

For the supposed case of "attacker who takes over your keyboard while you're away" or hacks their way into just your user account;... yes, they can't get root immediately if sudo asks for a password. In practice though, if they're reasonably determined, they can just alias / replace sudo with a malicious program of their making that asks for it, saves it to a text file / sends it out via tcp / etc... and the next time you do sudo, you happily give said password to them.

In fact, this could be worse than useless: they now have not just root but also your password; this could be concerning if said password happens to be similar to your other passwords on completely different systems. (If, on the other hand, you expect sudo to just hand you root without questions, how are they going to get you to type it in?)

All this on top of the question neatly demonstrated by relevant xkcd episode: do we even care about root? As as the main (typically only) user, you already have access to all important data, browser sessions, etc; is there even a meaningful difference between this & "full system access"?

Some counterarguments

Oddly enough, even if you have full sudo rights, it might still protect you from:

The first one is relatively rare with free software (since you're installing packages via the package manager anyway); it's still useful though that some questionable installer will have to ask for your password before trying to throw random files into /usr/bin. (If you really don't trust it, you might want some more powerful sandboxing solutions though?)

Meanwhile, there is a certain enlightenment to be had after typing sudo shutdown -h now into your laptop, getting the password wrong 3 times in a row (despite trying real hard for no typos the 3rd time), only to realize that this was an ssh session into The Production Server.

(Yet again assuming that you have different passwords for your laptop and The Production Server.)

What's the point though?

In the end though, what's the difference between typing

sudo vim /etc/apache/httpd.conf

... and typing a password (once!), and

sudo vim /etc/apache/httpd.conf

... and not typing it even once?

The main point is that, if you have sudo rights, there is no particularly magic difference between running something as root & running something as yourself. The "security" boundary is mostly there to help avoid accidental misconfiguration; you likely shouldn't rely on it for Actual Security anyway.

But also... using sudo that asks you for a password forces you to use terminals.

Despite you not wanting to use terminals.

Which then gives rise to ideas like...

... why even sudo?

If your workflow happens to be about using one editor instance and configuring it for maximum efficiency, then having to revert to a default vim config each time you need to do something in Magic Root-Land is somewhat annoying.

If you have passwordless sudo enabled, you can just use said editor to run one-off commands quickly, without getting stuck on the interactive part.

But also... if you just want to edit your web server config on a remote server...

... why not just chgrp all the configs to your One User? And edit them with your favorite text editor? Without ever elevating permissions? After all, you don't really need to protect them from yourself especially hard.

(Also, Emacs has a major mode for Apache configs!)