What specific vulnerabilities am I creating by disabling the sudo password?
Here are some instructions on how to disable your
sudo password. These carry the following warning
If you disable the
sudopassword for your account, you will seriously compromise the security of your computer. Anyone sitting at your unattended, logged in account will have complete
rootaccess, and remote exploits become much easier for malicious crackers.
I’m not worried about people gaining physical access to my machine. What remote exploits are made possible or easier if I were to ignore this warning and disable the password?
If you allow passwordless sudo, anyone who manages to run code on your machine as your user can trivially run code as root. This could be someone who uses your console while you’re logged in but not in front of your computer, which you’re not worried about (anyway, someone with physical access can do pretty much what they want). This could also be someone who accesses your account on another machine where you’ve ssh’ed to your own machine. But it could also be someone exploiting a remote security hole — for example a web site that exploits a browser bug to inject code into your browser instance.
How big a deal is it? Not that much, for several reasons:
- An attacker who’s found a remote hole can probably find a local root hole as well.
- A number of attackers don’t care about root privileges. All they want is to send spam and infect other machines, and they can do it as your user.
- An attacker who has access to your account can drop a trojan that captures your keystrokes (including your password) or that piggybacks onto whatever means you next use to gain root to execute command of its own.
- If you’re the only user on your machine, there isn’t much to protect that isn’t accessible as your user.
On the other hand:
- If you’re up-to-date with the security updates, the attacker may not find a local hole to exploit.
- A non-root attacker can’t erase his tracks very well.
- Having to type a password now and then isn’t much of a burden.
- Having to type a password reminds you that you’re doing something dangerous (as in: may lose data or make your computer unusable). (As a non-root user, the only real danger is erasing data by mistake, and it’s usually obvious when you’re erasing something and should be extra careful.)
I think that password for sudo could protect you only from two things:
- accidental damage of your own system (for example running some
rm -rfwith relative path from shell history in different directory than previously, or something like this)
- running (malicious) script that invokes
sudoand try to hurt your system (but I don’t think that this kind of malicious software is very popular)
If you want you could use
NOPASSWD option only for selected commands that won’t hurt your system (for editors or for restarting services) and keep password for other commands.
If you don’t have
sshd installed then its pretty safe, unless you break something yourself.
It’s worth noting that some competent organizations actually prefer passwordless sudo when they have users who need to log into lots of different remote hosts—particularly if that includes hosts with varying levels of security.
The problem with entering your password is that you’re giving your password to remote systems on a regular basis. One of the reasons we use SSH is to avoid exactly that kind of security hole. It’s a question of tradeoffs: you’re increasing the likelihood that a user’s password will be compromised in order to decrease the likelihood that an attacker who has compromised a session or key will be able to achieve root access. In particular, imagine the following scenario:
- large organization
- many hosts
- hosts have varying levels of security
- non-root access is already harmful
- user passwords unlock many things
In the scenario I’ve described, passwordless sudo may increase your security by protecting the user’s password. This is similar to the password-reuse attacks that have become common on the Internet, except the vulnerability stems from a unified authentication system rather than the actual reuse of passwords.
Unless you’re at a giant company, passworded sudo will probably increase your security—but by not necessarily by a great amount. Unless you are really a professional at systems security, or it’s a host with nothing particularly valuable on it, I’d recommend you leave it on.