As part of my work on updating the LCFG client I’ve written a guide to the inner workings of the LCFG client. This is intended to be fairly high-level so it doesn’t go into the details of which subroutine calls which subroutine. The aim is that this should cover all the main functionality and provide the information necessary to get started with altering and extending the client code base.
Recently there have been revelations that the NSA is explicitly targetting sys admins. This is because they see sys admins as a good way to gain access to the users and data on the networks they manage. It’s worried me for a while now that gaining access to a typical sys admin account provides an attacker with a really easy way to get root access (for instance, there are plenty of sites out there which allow anyone in group “wheel” to gain extra privileges). Also, as I blogged recently, even when you cannot directly gain full root access, anyone who is permitted to do privileged admin tasks using sudo probably has some sort of illicit way of gaining extra privilege.
Even if we ignore concerns about government surveillance, when you can trivially find a huge list of sys admins via linkedin.com you know that attackers are going to be focussing their efforts on that list of targets. It’s clear to me that we have reached a time where sys admins are going to have to accept more onerous access restrictions than a “normal” user because they have the ability to easily acquire a lot more power than a “normal” user. We’re going to be obliged to use technologies such as multi-factor authentication, we’re going to have to avoid insecure web sites that require accounts but don’t have an https option, we’re going to have to use a secure VPN just to do simple things.
I’ve always been very wary of using sudo for anything more than the simplest cases. I quite like the Ubuntu approach of using sudo to gain root privileges instead of su, it’s nice and simple and doesn’t give any suggestion of power being restricted, all it really achieves is the avoidance of the root password. A complicated sudo configuration has always seemed like a great way to hand out complete root privilege whilst being under the false impression that everything is nice and secure. This recent blog article I spotted has confirmed in my mind that heavy reliance on sudo really is a recipe for disaster.