Linux – Preventing malware from sniffing the sudo password

linuxmalwareSecuritysudo

I often hear people citing sudo as one of the main barriers to malware infecting a Linux computer.

The most commen argument seems to go along the lines of: Root privileges are required to modify system configuration, and a password is required to gain root privileges, so malware can't modify system configuration without prompting for a password.

But it seems to me that by default on most systems, once malware has infected an admin account, privilege escalation is trivial — the malware just has to wait for the user to run sudo.

What methods exist for malware to gain root privileges when the user runs sudo, and how can we protect against them?

Edit: I'm specifically interested in protecting against a compromised admin account; that is to say, an account which has full root privileges with sudo (e.g. the user's account on a typical desktop system).

Best Answer

Once a piece of malware has gained access to a user's account, it can:

1. Create a bash alias (in the current shell, and in ~/.bashrc) to a command which fakes the [sudo] password for $USER: prompt, and steals the user's password.

alias sudo='echo -n "[sudo] password for $USER: " && \
            read -r password && \
            echo "$password" >/tmp/sudo-password'

2. Similarly, it can place an executable named sudo in ~/.bin, and modify the PATH variable to achieve the same effect: PATH="$HOME/.bin:$PATH"

3. Catch key presses through the X server, watch for the word sudo, then try the text between the next two Enter key presses as the password.

4. A similar thing can be done in any environment (the console, Wayland, X) using e.g. $LD_PRELOAD.

5. If malware infects a shell that uses sudo, and sudo caches credentials, the malware can continouosly check if it is possible to sudo without a password:

while : ; do
    echo | sudo -S echo "test" &>/dev/null && break
    sleep 10
done
sudo echo "We now have root access"

Prevention:

1 & 2. Use \/bin/sudo. The \ ignores aliases, and /bin/… ignores $PATH. Alternatively, add an alias such as: ssudo="\/bin/sudo", and always use ssudo instead of sudo. It seems unlikely that a virus would be clever enough to remap this alias.

3. Avoid typing your password when using X11. Instead, use a virtual console, or Weston.

5. Set timestamp_timeout=0 in /etc/sudoers.

The only way to completely eliminate the chance of the sudo password being sniffed, seems to be to avoid it altogether. Instead, login as root to a virtual console.

According to Alexander Peslyak: "the only safe use for su [and sudo] is to switch from a more privileged account to a less privileged one…"

On a side note, sudo does have some countermeasures:

sudo reads from tty instead of stdin, so alias sudo='tee -a /tmp/sudo-password | sudo' breaks sudo (but does capture the password).

Related Solutions

Linux – How to make Shared Keys .ssh/authorized_keys and sudo work together

ssh and sudo have nothing to do with each other. Setting up an ssh authentication method isn't going to do anything for sudo. sudo isn't going to understand an ssh password.

passwd -l is intended to lock a user's account, so that he can no longer authenticate by password. That's pretty much the opposite of what you want, which is letting the user authenticate without a password.

I think what you want is the NOPASSWD option in your sudoers file.

(PS, there's no reason to be running a cd command with sudo. cd does not propagate to parent processes, so as soon as the sudo exits, you're back where you started.)

Edit: You keep saying that you want to lock the account password and want sudo to understand public/private keys. Sorry, sudo isn't going to use ssh keys. It isn't ssh. If you don't want users to be able to log in with their passwords, I think the answer is to disable ssh password authentication, not to lock the account. Then you can retain a password for the users, which they can use to sudo after they log in via ssh authorized_keys.

Linux Sudo – How to Restore Sudo Privilege with Linux Live CD

You'll have to boot into recovery mode to gain root (system-wide) access in order to repair

If you have a single-boot (Ubuntu is the only operating system on your computer), to get the boot menu to show, you have to hold down the Shift key during bootup.

From the boot menu, select recovery mode

After you select recovery mode and wait for all the boot-up processes to finish, you'll be presented with a few options. In this case, you want the Drop to root shell prompt option.

/etc/group is the file that defines the groups on the system

You can then use adduser username admin to readd your user to the admin group.

Alternatively you can use the vigr command to edit the /etc/group file safely

format example;

group-name:x:group-number:user1,user2
admin:x:110:username

Best Answer

Prevention:

Related Solutions

Linux – How to make Shared Keys .ssh/authorized_keys and sudo work together

Linux Sudo – How to Restore Sudo Privilege with Linux Live CD

Related Question