Gartner Blog Network


UNIX Security and the New sudo

by Mark Diodati  |  March 4, 2011  |  Comments Off on UNIX Security and the New sudo

One of the research topics that I am responsible for is UNIX1 security. Very early in my career, I grew to love awk, sed, and the Korn shell. While working out, I listen to Korn, too (That Korn/Korn coincidence never gets old for my sys admin buddies – these pictures are hanging in many enterprise cubicles).

UNIX systems have a root account, and many people typically require access to this account to do their job. We call root a ‘privileged account’ because is it not associated with a single carbon-based life form, and many people use it. The sudo open source utility enables the delegation of root privileges to lesser-privileged users. It’s a way to enable UNIX people to do their job without directly using the root account. The root account “owns” the system and therefore can breach confidential data and cause other mayhem. The sudo utility is good for what it does, but it lacks what UNIX security products provide: practical centralized policy management and auditing, as well as an easier-to use privilege delegation shell. It’s fighting words for some of my buddies (and maybe you); sudo is not up for the task for large scale UNIX security deployments.

But sudo is widely deployed and beloved (particularly in smaller deployments). Quest has been working for at least 18 months with Todd Miller (the sudo project maintainer) to extend sudo. The recently released version (1.8) has enhanced modularity. One use case is an external policy server.

It’s a smart move for Quest, and it is good for enterprises that leverage sudo. It opens up sales opportunities for Quest and other UNIX security vendors (e.g., Novell, CA, Centrify, Cyber-Ark, BeyondTrust [previously Symark], and Fox Technologies) to sell into sudo-centric environments. Quest obviously gets “first mover” advantage. Enterprises will acquire practical centralized policy management without changing the user’s experience. When the time is right, the enterprise can leverage the UNIX security product for its other capabilities.

Recommended reading (subscription required):

Providing a Strong Foundation: The Resurgence of UNIX Security Products

Privileged Account Management: Addressing the Seedy Underbelly of Identity

Markets Colliding: UNIX Security, Active Directory Bridge, and Privileged Account Management

PS: Just before posting this blog entry, I came across a great article from Joe Brockmeier that discusses the new sudo functionality in greater detail.

1 When discussing identity management, the Burton Group/Gartner definition of UNIX includes the classic UNIX variants, Linux, and occasionally Mac OS.

Category: 

Mark Diodati
Research VP
6 years at Gartner
21 years IT industry

Mark Diodati is a Research Vice President with Gartner's IT Professionals research and advisory service. His focus topics include mobility, authentication, cloud idenitity, federation, directory services, provisioning, identity services, Active Directory interoperability, Web access management…Read Full Bio




Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.