(Don't know whether this is the correct subforum, or even a topic suitable for discussion here. If not, moderators please fix.)
As we all know, it is unsafe to use the root account more than absolutely necessary, and it is particularly unsafe to enable direct ssh login into the root account. We also know that the root password needs to be guarded with utmost care (and not posted on the console on a yellow sticky note), and that enabling passwordless login into root (using ssh keys) is dangerous. In contrast, direct ssh login to user accounts is necessary and acceptable (even passwordless with ssh keys), because after all normal users can't do that much damage, other to their own accounts; so if a normal user is hacked, at least the overall system survives.
This means that sys admin tasks are done by a human with their own account, who logs in (probably usually via ssh), has their own password or ssh keys, and then switches to being root by using
Unfortunately, there is a hack that allows privilege amplification, and it works as follows: If an attacker has hacked into the regular (non-root) account of the human admin, then deposit a small "su" executable in their bin directory. That executable accepts the root password from the user, deposits it somewhere where the hacker can find it (mails it, sends it over a socket, puts it in a file, ...), deletes itself, and then fork/execs to the real su executable to execute the command. The human admin won't even notice that they just gave the root password away. The reason this is privilege amplification: A hacker only has to get into an unprivileged account and wait until that human issues su or sudo, and then can amplify their privilege to be root.
In FreeBSD, is there anything that guards against this? The only ideas I have for preventing it: Have the periodic security scans look for executables named "su" or "sudo" stored in places other than the real official one. But that means there will be a long delay until the hack has been found (periodic runs at best nightly). Or maybe the real
As we all know, it is unsafe to use the root account more than absolutely necessary, and it is particularly unsafe to enable direct ssh login into the root account. We also know that the root password needs to be guarded with utmost care (and not posted on the console on a yellow sticky note), and that enabling passwordless login into root (using ssh keys) is dangerous. In contrast, direct ssh login to user accounts is necessary and acceptable (even passwordless with ssh keys), because after all normal users can't do that much damage, other to their own accounts; so if a normal user is hacked, at least the overall system survives.
This means that sys admin tasks are done by a human with their own account, who logs in (probably usually via ssh), has their own password or ssh keys, and then switches to being root by using
su
or sudo
. For all but pre-arranged tasks, that means typing the root password. If you look at the statements above, this should be considered pretty safe: the unprivileged account that the human uses doesn't need to be guarded too closely, since after all the human has to re-authenticate with the root password before they can do something seriously harmful.Unfortunately, there is a hack that allows privilege amplification, and it works as follows: If an attacker has hacked into the regular (non-root) account of the human admin, then deposit a small "su" executable in their bin directory. That executable accepts the root password from the user, deposits it somewhere where the hacker can find it (mails it, sends it over a socket, puts it in a file, ...), deletes itself, and then fork/execs to the real su executable to execute the command. The human admin won't even notice that they just gave the root password away. The reason this is privilege amplification: A hacker only has to get into an unprivileged account and wait until that human issues su or sudo, and then can amplify their privilege to be root.
In FreeBSD, is there anything that guards against this? The only ideas I have for preventing it: Have the periodic security scans look for executables named "su" or "sudo" stored in places other than the real official one. But that means there will be a long delay until the hack has been found (periodic runs at best nightly). Or maybe the real
su
and sudo
commands are written to not accept passwords from anything other than a real tty device, in which case the fake "su" program would have to pretend that the password was invalid (after it snags it), and the human user should notice that they had to type their password twice.