On Passwordless Sudo

submited by
Style Pass
2024-06-09 13:00:09

sudo is obviously kinda important for Linux users. You're asked for your password & you get to run commands as root; you then don't even get asked for your password for a while. There is... not much to it.

You can also get it to not even ask you for your password. Which is... less secure, right? Since even if someone somehow hacks their way to a shell prompt to your machine, they can't gain root access since they still don't know your password!

For the supposed case of "attacker who takes over your keyboard while you're away" or hacks their way into just your user account;... yes, they can't get root immediately if sudo asks for a password. In practice though, if they're reasonably determined, they can just alias / replace sudo with a malicious program of their making that asks for it, saves it to a text file / sends it out via tcp / etc... and the next time you do sudo, you happily give said password to them.

In fact, this could be worse than useless: they now have not just root but also your password; this could be concerning if said password happens to be similar to your other passwords on completely different systems. (If, on the other hand, you expect sudo to just hand you root without questions, how are they going to get you to type it in?)

Leave a Comment