Friday, 11 July 2008

Does anybody else have a problem with this?

If you've got an ssh connection to a Debian or Ubuntu Linux box handy, and you have sudo privileges on that box, try this little experiment:
  1. ssh to your box as an ordinary user;
  2. sudo su to get a root prompt (you should be asked for your password - this is important);
  3. as soon as you get the root prompt, exit back to normal user, then exit your ssh session entirely.
Now, here's the scary part:
  1. ssh to that same box again right away, as the same user;
  2. sudo su to get a root prompt again.
Why is this scary? Because the second time you ask for a root prompt, you're not prompted for a password. This means that, not only does the actual Linux box require access and user security appropriate to its function, but so does every device that can ssh into it with a rootable user! I'm sure this isn't in any way new, but in 10+ years of using Linux, I just now encountered that scenario for the very first time. As Linux is becoming more popular, and more users are marching up the 'power user' scale, this is something that should be paid attention to - especially in a business environment. Yowza!

No comments: