That issue is described here:
Strong Linux User Account Isolation
If that description is insufficient (if there is something that new (reasonably technical people) readers might overlook), please edit. It’s crucial to get these things properly documented so these issues and our solutions can be understood by as many people as possible to make sure it is actually effective.
That’s the plan. That’s the idea of multiple boot modes for better security: persistent user | live user | persistent secureadmin | persistent superadmin | persistent recovery mode. Booting in mode persistent/live user would result in user user not being a member of group sudo.
That might not be possible or take years to implement. For existing use of sudo
grep Whonix source code for sudo and lxsudo.
grep -r sudo | wc -l
819
Well, a lot of it are source code comments / source documentation / user documentation. Will try to narrow that down.
I guess I know what you mean but exactly such things need to be spelled out more detailed (in wiki, news posts) to generate awareness for the issue. I.e. including examples for which non-root user might be compromised and do what to compromise desktop users.
Trying to follow that line of thought more… If such infoleaks can spy on keystrokes to get access to the sudo password then that’s not only the sudo password but any keystroke. That’s not an issue for privilege escalation / exploitation but still a huge security issue as nobody wants all their typing leaked. Therefore let’s not just secure sudo but make sure that keystroke spying gets blocked.
Non-root users (let’s say user www) might find out the sudo password not be able to do anything with it due to the existing implementation.
( Strong Linux User Account Isolation )
These users not a member of group sudo and due to su restrictions, no login to other user accounts is possible.
That might not even be stoppable when making /tmp, /home etc. non-executable. Because this attack supposes a compromised non-user account that is a member of group sudo, i.e. in our case most likely user user. “compromised non-user account” could include, “there is already a malicious process running”. And if there is already a malicious process being executed there no stop to that by non-executable anything.
In other words, a compromised non-root user account which is member of group sudo is almost(?) equal to full root compromise. This needs to be documented somehow. No awareness → no fix.
And most Linux desktop nowadays are single user systems. There is only 1 non-root user being used. And that non-root user can in most Linux distributions either use su to gain root or is member of group sudo by default.
Not entirely, but I see your point. sudo seems to work as expected. sudo is useful. (A script running under root sudo -u www touch /var/log/www/something while www is not a part of group sudo.
Just perhaps the developers of sudo aren’t doing the best job of explaining X exclusive lock, secure attention key unraw. I don’t think many people know that when you switch from X to a virtual console that X might still have an exclusive lock and show a malicious, fake virtual console that could spy on the password entry. But we shouldn’t blame that on the developers of sudo.
Can easily create the impression of security theater.
Quote XScreenSaver FAQ
The solution to this is simple: you shouldn’t be logging in on the console as root in the first place! (What, are you crazy or something?)
Proper Unix hygiene dictates that you should log in as yourself, and su to root as necessary. People who spend their day logged in as root are just begging for disaster.
The author might understand all of these things but that text is written as if that’s common knowledge which it is not.
Let’s imagine (not going to happen, actually opposite) Whonix shipped with passwordless sudo by default because currently Linux desktop distribution use of sudo is mostly security theater and a usability degradation. I am sure, suddenly everyone would come out of the woods and complain how dangerous that is. But I also guess at the same time nobody would point out how to Prevent Malware from Sniffing the Root Password and most would still use 1 user user that is a member of group sudo for most daily tasks which then gain gives very little security. This seems ironic when knowing the background how much work/time is otherwise spent by Linux desktop distributions on user access rights related development (file permissions) and not just running everything as root.