0

I work in software development for a large corp with fairly strict IT. I am ignorant of security practices. Developers on Windows machines have local administrator rights, are able to install apps etc, but are limited by group policies from eg uninstalling AV.

I have been asking for similar rights on linux - ability to install / update applications and drivers, but IT says something like "On windows, you have local admin rights so you can only mess up your own machine. On Linux, sudo gives you domain rights so you can mess up your own machine, you can become any user on any machine".

Is that response accurate? I have a difficult time believing that linux would be less secure / useful than windows in this respect. Pointers to useful comparisons appreciated-

Thanks

Chris Morley
  • 101
  • 1
  • 2
    That doesn't sound right. The root user is a _local_ administrator only, not a domain admin, unless IT has horribly misconfigured all the Linux machines. And I'm not even sure offhand how you would perform such a misconfiguration. – Michael Hampton Sep 16 '20 at 16:40
  • @MichaelHampton perhaps a domain joined system with a naive nfs access or something? So perhaps they are worried about the user doing `sudo -i -u some_other_domain_user`. Or just using the root account to access some other users files? – Zoredache Sep 16 '20 at 19:46
  • NFS defaults to squashing root to nobody for exactly this reason. There's nothing else out of the box that allows root equivalence – roaima Sep 16 '20 at 19:53
  • 1
    @roaima sure, but there are also lots of people that manage systems that change defaults of things in ways that dramatically weaken security. Without more details I would guess this org has probably done something silly. – Zoredache Sep 16 '20 at 19:58
  • @Zoredache exactly. Or they've misunderstood something – roaima Sep 16 '20 at 20:31

2 Answers2

2

"On Linux, sudo gives you domain rights so you can mess up your own machine, you can become any user on any machine" is nonsense.

SUDO gives limited rights to your own system, nothing more. If you decide to set up the same sudo permissions and users for all your machines this is conceptually no different to doing so on Windows. Its not even a sane default, and sudo can be very fine grained in its control - as far as allowing only limited commands for limited users if configured.

davidgo
  • 6,222
  • 3
  • 23
  • 41
1

On Linux, sudo gives you domain rights so you can mess up your own machine, you can become any user on any machine.

Sounds like complete nonsense, until you "translate" it from the Windows mind-set from which it almost certainly emanated:

sudo gives you domain rights ...

This person is conflating "elevated permissions" with "domain rights" (whatever they might be) unless they've set up their "domain" in a very, very strange way - setting up root as as Domain User would be a huge security risk.

Yes, sudo lets you do things that you would not, normally, be allowed to, but it's still absolutely nothing to do with a "domain".

... you can become any user on any machine ...

Yes, you can "become" (through "sudo -i") any user on any machine ... on which sudo has been configured to allow you to do so, or on which sudo has been configured to allow you to "become" root (which can, by design, do anything, so all bets are off).

All that configuration is down to your System Administrators and how they've set up sudo. From the sounds of it, that's naively, lazily and/or poorly. YMMV.

I'm guessing that you have [your own] Windows desktops, but [shared] Linux servers.

Elevated permissions on your desktop machine allow you to shoot yourself in the foot by lousing up your own machine. I would guess that your organisation ("large corp with fairly strict IT") has standard, desktop "build" images that they can "splat" over your crippled machine to get you back into a working state.

sudo allows you to run commands as another user, most commonly as root, which allows you to shoot everybody in the foot (feet?) by lousing up a shared server, which then requires a System Administrator to take the time and trouble to step in and clean up your mess. This doesn't make you any friends.

Phill W.
  • 1,479
  • 7
  • 7
  • Thanks. These are desktops, not servers. Most devs had their own linux desktops, but we were acquired by a windows-centric mega corp. – Chris Morley Sep 17 '20 at 15:04
  • If a command requires root access, sudo could be configured to allow that command to be run, but not provide the ability to 'become' another user, right? – Chris Morley Sep 17 '20 at 15:06
  • @ChrisMorley: It /should/ be, but that doesn't mean that it /is/. This is especially true if your SysAdmins don't really understand what sudo can do. In the Windows World, UAC allows you to run anything "as Administrator" so the simple equivalent, sudo setup would be to allow you to run anything "as root". It's over-simplified and ignored much of the power of sudo itself, but I suspect that's what you're up against. – Phill W. Sep 18 '20 at 13:04