Skip to content

Page259

Elevating Privileges With su and sudo

Linux- and UNIX-based systems have long facilitated logging in with standard privileges and then allowing for privilege elevation. The classic approach, which is still generally available, involves using the binary su, substitute user. While su allows any account, for which the user knows the password, to be used, the default, and most common scenario, would involve a sysadmin using su to execute a binary as the privileged root user. The most significant downside to su is that wielding this binary requires the user to know the password of the account which they are leveraging. This usage pattern thus requires any user leveraging su to know root’s password, which is decidedly suboptimal from a security perspective.

To combat the shared root password problem associated with su, the newer sudo binary could be employed. With sudo, the user must simply reverify their account by supplying their own account’s password instead of the su approach of supplying the password of the account whose privileges will be wielded.

Managed Service Accounts

Applications frequently need to operate as authenticated, and quite often highly privileged, user accounts. The term service account has been used to indicate these application-facing user accounts that do not map directly back to an individual. Historically, little distinguished these service accounts from the typical human-facing user accounts. The phrase managed service accounts suggests different and more stringent controls are in place that treat these application-facing accounts differently. One of the most important and significant characteristic differences is the way in which passwords are handled for managed service accounts.

Managed service accounts have auto-generated complex passwords that are automatically maintained. Some implementations of managed service accounts can also ensure that the service account can only be used from the context of the system with which the service is associated. Thus, even if the credentials associated with the account are compromised, the impact of abusing those credentials can be limited.