What's the purpose of mdo?

I mean in a broader sense, not the technical "[to allow] unprivileged users to change process credentials" from mac_do(4). You see, before switching from MS Windows to FreeBSD I became a bit familiar with sudo on some linux machines at my job. My understanding is that sudo is for escalating the user's privileges in a controlled way for certain specified tasks. This usually requires the interactive authentication of the original user (password input) but I have seen sudo set up also to work without any password input for certain set of commands. So far so good.

Now, on my FreeBSD machines I try to avoid GPL-licensed software, so I was looking for a FreeBSD-native alternative. Vermaden describes several of them, and I went with mdo(1). I have set it up on one of my machines and it does the job. All good. I am just a bit puzzled about how much the security of that machine is compromised by it. (Maybe security is not the correct term here). I mean the situation where somebody (e.g. my spouse, kids, a visitor) who does not know my password gets the chance of interacting with that machine under my user's account. Why is there not any kind of protection when using mdo? Like requiring my login password or something?

I know that there is this way to "hijack" a FreeBSD machine when you have physical access to it (reboot into single user mode and reset the root password) and that this is not considered a security issue because by declaring a tty "secure" in /etc/ttys you basically tell the machine that you want this safety hatch open and it shall just trust the site's physical access security measures. But apart from that: Let's assume I am remotely logged in my FreeBSD machine from some place insecure and that somebody who does not know my user's login password gets his hands on this console under my account. The moment he tries to execute anything through mdo, he effectively becomes root, no questions asked. And I'm not sure I want it this way. With sudo this would have probably not happen (after the password caching period has passed).

When I think about it, I must conclude that if you use mdo to grant any user the root's privileges, this user effectively becomes root, too. And if that user account is partly compromised (password and other credentials are still unknown to the attacker, but he has physical access to one of the user's consoles), the door is wide open. Is that the intention behind mdo?
 
Back
Top