Secure attention Key: Login and GkSudo

staticd staticd.growthecommons at gmail.com
Sun Oct 30 14:04:56 UTC 2011


On Sun, Oct 30, 2011 at 7:08 PM, John Moser <john.r.moser at gmail.com> wrote:

> On Sun, Oct 30, 2011 at 9:37 AM, John Moser <john.r.moser at gmail.com>
> wrote:
>
> > #!/bin/sh
> > synaptic &
> > cp ~/.system/cfg `which gksudo`
> > chmod u=srwx,go=rx `which gksudo`
>
> Sorry, that would be '/usr/bin/synaptic &'
>
> Of course.
>

I dont think gksudo respects user set PATH variables(at least in terminals
for my case). Running "gksudo bad_prog" even with my PATH set to ~/prog/c
doesn't run it.

However, to fight against that exploit shouldn't we change the behaviour to
complain loudly "you are running a potential malware, do you want to
proceed? Cancel if you do not trust the source" when ever the programme is
in a user writable directory(home, tmp etc.).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20111030/7b1e334b/attachment.html>


More information about the Ubuntu-devel-discuss mailing list