Tags:
create new tag
, view all tags

How safe is the Admin Login (Sudo login)?

In 4.2.0 we introduce a new sudo login feature.

It is based on the Template Login method.

If this login scheme has a security breach we have a level 1 security issue because you may then also get the password used in configure and then the server is yours.

We need to conduct a security audit on the sudo login feature.

  • what you are actually pointing out, is that we need a serious security audit of TemplateLogin. If that has issues, sudo does too.

An additional concern is that when you choose your authentication method you have only that one to worry about.

If I choose Apache authentication and - I now have two because the sudo login is a Template login authentication type that uses a password stored in LocalSite.cfg.

If I protect TWiki with Apache mod_ldap all I had to worry about was getting this to work and I could protect configure the same way.

But with the sudo login mod_ldap is not playing any role. It is an additional authentication scheme. THAT concerns me.

In fact I would probably want to disable the sudo login on my office installation. How do I do that?

Security Audit of sudo login.

I would like someone else than the original authors of user mapping code - but still professionel programmers - to audit the security of the sudo login code.

I am not a professional programmer so I need help. It has to be someone else that audits the code because as a developer you do not see your own mistakes - no matter how good you are.

We need two that step forward and are willing to spend a couple of hours looking at the code.

How do I disable sudo login?

Can I remove a file or do I have to hack the code?

  • if you're protecting configure using mod_ldap, and specifying that it can only be accessed by people in your admin group, you can 'simply' set the configure password to "". this disables sudo to admin.
  • otherwise, jolly good point, simple fix though.

-- Contributors: KennethLavrsen, SvenDowideit - 22 Sep 2007

Discussion

FYI the original authors are Sven and Crawford.

-- CrawfordCurrie - 22 Sep 2007

funny, i agree with what you write, but i sure hate how you write it, and that you're ignoring the main attack vector on sudo -

TemplateLogin needs an audit, as does the TWiki User, authentication, and permissions code

if those are ok, auditing sudo is useful.

-- SvenDowideit - 22 Sep 2007

I had assumed that TemplateLogin as such was pretty well tested and proven now, but yes, a total safety audit would not be a bad thing. I was triggered to propose this because of a support question raised - SQLVulnerabilityQuestion. I think that 4.1.2 is pretty safe authentication wise.

The sudo login is the new kid on the block and we are close to the 4.2.0 release. So it would be great of someone else than Sven and Crawford could spend maybe 30 - 60 minutes reading the code related to sudo - while thinking like an attacker.

The special situation - and new situation - is that you can now register as a normal user and be authenticated as a normal user. Are there any strange URLs, false cookies, hidden form fields etc etc an attacker could use to elevate his already authenticated state to be an admin mode? Especially the apache auth combined with sudo is new and worth having reviewed by fresh eyes. I have no reason to believe there is a security bug other than the fact that it is a new feature.

-- KennethLavrsen - 23 Sep 2007

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2007-09-23 - KennethLavrsen
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.