All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

Critique of sudo's Security Model and the Case for Object Capabilities

By

fanf2

5mo ago· 6 min readenOpinion
Bagel score 85 of 100
85/100
Golden Brown
Bagelometer

If you only eat one bagel today, this is the bagel.

Score85TypeopinionSentimentnegative

Summary

The article presents a strong critique of the sudo command in Unix/Linux systems, arguing that it represents fundamental flaws in the modern Unix security model. The author explains that sudo's design as a SUID binary creates a large attack surface, lacks privilege separation, uses complex non-declarative configuration formats, and relies on centralized identity-based access control with ambient authority. The piece advocates for moving to object capabilities as a more secure alternative, noting that Alpine Linux has already switched to doas as its default privilege escalation tool due to sudo's security issues.

Key quotes

· 5 pulled
I hate sudo with a passion. It represents everything I find offensive about the modern Unix security model
Systems built around identity-based access control tend to rely on ambient authority: policy is centralized and errors in the policy configuration or bugs in the policy engine can allow attackers to make full use of that ambient authority
Alpine moved to doas as the default privilege escalation tool several years ago, in Alpine 3.15, because of the large attack surface that sudo brings due to its design
it must be a SUID binary to work it is monolithic: everything sudo does runs as root, there is no privilege separation
it uses a non-declarative and non-hierarchical configuration format leading to forests of complex access-control policies and user errors due to lack of concision
Snippet from the RSS feed
I hate sudo with a passion. It represents everything I find offensive about the modern Unix security model: like su, it must be a SUID binary to work it is monolithic: everything sudo does runs as root, there is no privilege separation it uses a non-decl

You might also wanna read

Introduction to Landlock: Linux Security API for Application Resource Control

Landlock is a Linux security API that allows applications to explicitly declare which system resources they need access to, creating a secur

blog.prizrak.me·6mo ago

Understanding Linux Capabilities: Fine-Grained Access Control for System Security

This technical article explores Linux capabilities, which provide fine-grained access control by dividing root privileges into distinct unit

dfir.ch·7mo ago

Enhancing Security in Linux: Hardening SystemD Service Units and Podman Quadlets

The article discusses the security implications of systemd in Linux, highlighting its robustness but also its default focus on functionality

roguesecurity.dev·9mo ago

AI-assisted vulnerability discovery raises concerns about Linux kernel security

This opinion article discusses a troubling trend in Linux security where AI-powered tools are being used to discover and exploit kernel vuln

theregister.com·1d ago

systemd-manager-tui: A Terminal-Based Tool for Managing systemd Services

A TUI (Terminal User Interface) application called systemd-manager-tui, available on GitHub, allows users to manage systemd services via D-B

github.com·28d ago

GTFOBins: A Curated List of Unix Binaries for Bypassing Local Security Restrictions

GTFOBins is a curated list of Unix-like binaries that can be exploited to bypass local security restrictions in misconfigured systems. The l

gtfobins.org·1mo ago