[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Why whonix have SUDO threat ?


#1

Why Whonix have sudo installed ?
It makes root password useless and put all OS in danger. If someone compromise my user account by browser bug, they can do “sudo su” and they have root account, without knowing the root password.
I think for best security sudo should be removed from system completely.
You only need root when you doing updates, nothing else. So it’s better just to login into root for that.


#2

At least 90% of users needs root for updates only…


#3

Good day,

Maybe I misunderstand you, but to use “sudo su”, you still Need a Password.

Unless you actually refer to Qubes in which case this applies: https://www.qubes-os.org/doc/vm-sudo/

This however has nothing to do with Whonix.

Have a nice day,

Ego


#4

i don’t talk about qubes here
you need only regular user password, not the root one.
that makes root password useless.
and weakens os security massively.


#5

It be more safer just to login to root account when update is needed.
It’s really bad idea to give normal user ability to become root


#6

Good day,

But Whonix isn’t designed as a Multi user System, so whether the user or root Password is required doesn’t Change security, considering both should be protected in a single user use case. Furthermore, because of this, making users Change the account for updates and the Installation of additional Software would be counterintuitive.

Have a nice day,

Ego


#7

It changes security alot!. Because you working on user who can become root.
If you working on limited user rights, and if this user will be compromised, the attacker will have harder time to get full system control.
Linux is multi user system, this gives it security because you don’t need to be doing all stuff as root.

This makes no sense what you just say. Using admin account for administrative things is counter… ? :smiley:

Security comes from compartmentalization. It’s more safer to use limited user for all activities except admin tasks. But when we have sudo we loose this multi user security feature…


#8

To be using separate root and limited user accounts for different tasks acts as sandbox, if you have SUDO, you remove this security feature.

I’m talking about remote attacker.


#9

Why sudo is bad for security:
1 http://www.openwall.com/lists/owl-users/2004/10/20/6
2
https://kzimm.wordpress.com/2010/03/19/sudo-please-dont/


#10

#11

That doesn’t answer anything for me :frowning:
This is common sense to use limited account for everyday use, and admin account for administration things…


#12

Good day,

I think the issue here lies within an understanding of the underlying concept of Whonix. Whonix is and will never be a host Level System. It is designed as a guest System upon whatever host you’d like to use. That’s why, as mentioned before, there are NO multi user use cases found within Whonix. So there is litterally no security Advantage in seperating user and root Level accounts, as both are to be kept by one Person.

Have a nice day,

Ego


#13

But for example, on HOST OS, do i have security advantage to having separated user and root level accounts ?

Yes they are kept by one person. But if attacker exploits for example arm manager, he will be stuck in limited user account. But if we have no separation, he easy can do privilege escalation and mess with tor or arm config.


#14

https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html

arm is a bad example. It requires access to Tor’s auth file - otherwise it could not be a Tor controller. Once arm was comprised, it could instruct Tor to do whatever the malware wants.


#15

Yes i understand this. But this is for X and if you use SU or enter root password while on x session. But if i never entering root password this way ? I enter root password only when my system boots, before xserver starts.

Please help me understand.
If i have debian host without sudo. And i only entering my root password before xserver starts only for system updates. Do i have more security or it’s the same as normal system with sudo (or “su” command usage) would have? I think first option (without sudo, without using su or entering root on Xsessio)is way more safer, because:
1.I don’t have my user in sudoers file, so my user is fully limited. Or atleast attacker can’t become root (sudo su) so easy.
2.I never entering my root password on limited user X session. So my root password can’t be keylogged in regular xsession.

I’m not saying that this should be for whonix, i’m just trying to figure out if this is security advantage for HOST OS.


#16

That depends on your assessment on how hard a privilege a user to root escalation exploit is. In such a discussion, it presupposes an attack here where the adversary managed user account compromise already.

As https://www.qubes-os.org/doc/vm-sudo/ makes the argument, it’s unlikely that a local user account gets compromised but at the same time not user to root privilege escalation exploit is available.

Not just sniffing your root password is of interest, but sniffing each and every keystroke, mice movement and mice key press.