What's exactly the point of the sudo command, in terms of security?

Question

This question is actually non Ubuntu-specific. My understanding is that sudo is to prevent non-authorized users from doing administrative and other potentially harmful operations. The premise is that someone is here in front of my PC using it... or maybe remotely (but in that case they should know my login password to connect to the computer, and this is usually the same as my sudo password...) So someone is in front of my PC and she cannot delete certain important files or dirs or install harmful software without knowing my sudo password, but she can do a lot of other harmful and privacy-violating things without sudo. So, wouldn't it be better instead asking for admin privileges each time before opening the file manager or the terminal? I know this may be time-consuming and exhausting...

Answer 1

First off, you need to understand the concept of the users in linux, with special regards to the root user. In order to keep this answer below the character limit (and on topic), I'd suggest you read this page followed by this one. Really, all you need to know is the following:

Linux is a multi-user operating system with each user having limited power and scope as defined by their user group. Every Linux system has something called the root user (UID 0, also known as the superuser), who is the total and completely authoritative administrator. root knows all, root sees all, root controls all.

The concept of sudo came from the old UNIX command su (from switch user), which allowed any user to log in to any other user on the system. Anyone with administrative privileges would type su root (or just su) to escalate to the root user for any admin task. This, regrettably, had a few problems. In systems with multiple admins, everyone shared the root password. Meaning, if an admin left the company, the root password would need to be changed and redistributed to all of the other administrators. This can be extremely time-consuming at times, and otherwise just be a great pain.

Now, enter sudo. sudo works on a different principle. Instead of requiring users to know the root account login, sudo would be used to allow users to escalate themselves into the root account (or any other account, for that matter) based on the rules of the /etc/sudoers file. Now, revoking or adding an administrator is simple -- just add or remove a user from a group or the file. Because of this, the root account can be "disabled", thereby blocking access to anyone except actual admins.

For almost all cases, this is all sudo is used for. It grants root power to administrators (members of group admin or sudo) based on the rules defined in /etc/sudoers.

(Un)intentionally, this also comes with a massive security benefit. Administrators can run in an unprivileged mode just like any other user. They can then escalate or "enable" administrative privileges when they're needed, and revoke them immediately afterwards. Usually, this is only used for a single command (e.g. sudo apt install cowsay), but it could also be a full-blown root shell.

This isolation in turn also protects the system at large (remember, *NIX was originally a multi-user environment used by many people) from malicious code executed from an admin's account, be it through malware or someone logging on to an admin's active terminal. Similarly, sudo allows every admin action to be logged and reviewed at any time. Contrast this to the old su method, where you realistically had no idea who ran what command.

Also, based on the permission model of Linux, sudo can prevent a user from making potentially dangerous mistakes like accidentally uninstalling a critical program, erasing a hard drive, or any other number of nasty things that should never be done without some confirmation.

TL;DR:

Really, sudo is just a (very useful) holdover from the true multi-user environments of old *NIX installations. However, it still retains its usefulness by protecting the system from malware or session hijacking. In typical *NIX mentality, protection of the admin's actual account is an exercise left to the admin.

If you're worried about someone sitting down at your computer while you're away and messing with your privacy, just lock your screen/session. Even so, physical access is a killer.

Answer 2

What I can understand a noob sysadmin is that sudo is a painful way to prevent you to accidentally do something stupid to your server. Like if you log in as root, you can accidentally delete system files (rm recursively) and that's it! But if you do that under a standard user, you won't be able to and will be prompted with "Permission denied"

So, to be safe, log in as standard user and do your stuff. If you need do something heavy to your system, use sudo.

Answer 3

the user space does not have access to core system files, this keeps malicious code such a viruses and root kits from installing themselves.

The sudo command gives the person at the keyboard root access so s/he can modify the installation.

There is little you can do to protect from someone sitting at your computer with your password.

Answer 4

sudo has a specific purpose: It allows authorized users to escalate their current privileges in a controlled way. The practical impact of that depends on how you are using privileges in your system. Typically, users don't use privileges to silo their data, so sudo doesn't protect that data.

However, if you really wanted to, you could use sudo to protect more things; for example, you could create another user account that exists just to run your web browser, which would mean that no one using your normal account could access your cookies or cache without going through sudo. You could create still another user for editing office documents to protect them from changes made by your normal account. And so on. This generally isn't done because it's a big inconvenience for minimal benefit, but it's possible to do if the data is sensitive enough.

The other point is that these privileges apply to all programs across the board. Restricting access to the terminal and the file manager would not protect against unauthorized changes made via a word processor (say I load up some of your recently edited documents and delete all the text), but if the logged in user doesn't have permission to view or edit the files, then no program can edit them without sudo, regardless of whether it's a terminal, file manager, or other.

Answer 5

So as you stated it yourself, the sudo command is doing its job perfectly, it is taking care of what it suppose to:

• Based on definitions it decides who is permitted to do what kind of stuff ?
  • based on/etc/sudoeres or /etc/sudoeres.d
  • e.g: is user bob permitted to run rm using user root on ALL machines?
• Then It will check to make sure that the user actually is who he claim he is.
  • By asking for password

What is wrong here is that your are allowing an untrusted user to use your system, that's where that cause the damage (Not to system, to your account).

You shouldn't allow anybody you don't trust to use your computer, it's like running a malicious program and excepting to nothing happen.

---

Use sudo, don't allow anybody to use your account you are safe to go...