ubuntu-devel@lists.ubuntu.com
[Top] [All Lists]

Re: Misconfiguration of sudo is insecure (Was: Sudo even more secure)

Subject: Re: Misconfiguration of sudo is insecure Was: Sudo even more secure
From: Eric Feliksik
Date: Wed, 22 Mar 2006 23:06:00 +0100
Tristan Wibberley wrote:
Does it *run* your bashrc?

`sudo -s' does. This means that if I can comprimise your user account (e.g. you run one ugly script as sudo-enabled user), I'll be root next time you use `sudo -s'. Maybe by manipulating some user-settings I can also make gksudo do this.

https://wiki.ubuntu.com/RootSudo seems to admit this. So in fact: if the admin user (sudo-enabled user) account is comprimised, the whole system is.

I wonder why people worked so hard to make gksudo lock the X stuff (other programs listening to the keyboard, etc). Apparently that's just "risk reducing", not really taking away a security problem?

Eric

--
ubuntu-devel mailing list
ubuntu-devel@xxxxxxxxxxxxxxxx
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

<Prev in Thread] Current Thread [Next in Thread>