3

AWS's Ubuntu image gets bootstrapped with your credentials being added to a user called ubuntu. After the machine comes up, you can SSH into your new box with the ubuntu user.

This user is a sudoer, and based on the sudoers file, this user can do pretty much anything that root can, as long as you preface a command with sudo, without any password being entered. This negates some of the benefits of sudo because there is no interactive password prompt. As far as I can tell, this also pretty much means that you should never run public-facing applications as this user, because if someone could find a way to execute shell commands via your application, they could take control of your system.

My real question is: why does this user exist? Why not just grant SSH access to the root account, with the expectations that someone would create unprivileged accounts to run an app? Doesn't having this ubuntu user just add confusion? I could see someone thinking "my systemd application isn't running as root, it's running as ubuntu, so I am safe".

Am I missing some purpose of this kind of user, which is not root, but is a passwordless sudoer?

kbuilds
  • 1,565
  • This is good, but it assumes that you use the interactive password interface to gain the elevated privileges. On AWS, the sudoers file is set so that the ubuntu user can use sudo without entering a password (because that user does not have a password) – kbuilds Nov 29 '18 at 22:16
  • 1
    Then do a passwd on that user... – Fabby Nov 29 '18 at 22:26
  • @Fabby You would have to both passwd that user to set the password, then also modify the sudoers file to disable passwordless sudo access. But the point here is what is the main difference between a passwordless sudoer and the root account itself? – kbuilds Nov 29 '18 at 22:29
  • This is clearly not a duplicate. Nothing in the "already answered" post addresses my question, nor does it come anywhere close to the same kind of answer. – kbuilds Nov 30 '18 at 03:11
  • You might find this related post informative: https://serverfault.com/questions/580881/is-it-ok-to-set-up-passwordless-sudo-on-a-cloud-server – Elder Geek Nov 30 '18 at 18:08
  • @ElderGeek Yes, this is actually really helpful. Thank you – kbuilds Dec 03 '18 at 02:16
  • @kbuilds I'm glad to hear that. – Elder Geek Dec 04 '18 at 15:51

1 Answers1

2

I chatted with one of my friends who works on the EC2 team, and he gave me a really good explanation.

The main difference to be discussed here is between a user who can run sudo without a password and can gain all privileges with sudo (passwordless sudoer), and the root user itself. My initial thought was that these two users are essentially the same, but as my friend explains, compromising the passwordless sudoer is inherently harder than the root user, if the attack vector is through an application.

The reason for the additional difficulty is that to gain sudo privilieges as a sudoer, you need shell access. Without the shell, an application running as the passwordless sudoer is essentially just a normal user. However, this means that if the passwordless sudoer were running an application that can execute shell commands on behalf of the user (i.e. Jenkins or some other CI tool), then the system could still be compromised.

It's still probably safest to run applications as a non-sudoer, but for most cases, I imagine that the passwordless sudoer is safe enough.

Full context of the discussion:

enter image description here

enter image description here

Thomas Ward
  • 74,764
kbuilds
  • 1,565
  • 1
    When sharing information and other chat threads, please do not include offensive or inappropriate language such as swearing. Such language is not conducive to civil discussions. – Thomas Ward Dec 03 '18 at 00:27
  • 1
    Swearing is part of my culture, and we use it in civil discussions all the time without offending anyone :( – kbuilds Dec 03 '18 at 02:17
  • 1
    hell yeah!!!!!! – Bernd Loigge Aug 15 '19 at 09:15
  • So the "protection" is coming from the fact that an application won't have tty? That sounds weak and unconvincing. – Mike Nov 19 '19 at 15:09
  • @Mike It's a slight security edge over just running the app as root. Root access is what some IaaS providers give you by default, such as with Digital Ocean. An amateur developer might just install a web app and run it as the root account, which would give an attacker root access to the system if the app were to be compromised. I agree that the best solution in all cases would be to create a separate, unprivileged user to run the app, but it seems that what AWS and GCP give you out of the box (a sudoer) is better than plain root account access. – kbuilds Nov 19 '19 at 18:21