Re Kubuntu 64bit, several issues

Tristan Wibberley maihem at maihem.org
Sun Aug 14 05:30:49 CDT 2005 

Dennis Kaarsemaker wrote:
> On zo, 2005-08-14 at 18:48 +1000, Rod Lovett wrote:
> 
> 
>>So good luck, but hopefully some attitude changes in there
>>Cheers
> 
> 
> You seem to need an attitude change too. Instead of complaining and
> whining, constructive comments are better.
> 
> The sudo discussion has been reiterated 1000 times already, it's not
> about treating users as little children.

Something I'm concerned about sudo, and this is relevant for su also. If
my user account is compromised, an attacker that gets to run a program
locally through, say, a zlib bug, could alias sudo to grab my password,
unalias sudo, then fail. I would just think I mistyped my password and
try again, where the real sudo (or su) would run and succeed as normal.
In the case of su the attacker would have my root password (so sudo is
slightly better), but in the case of sudo, the attacker could now run
all the administrative programs as root that I could (which could
include synaptic to run malicious software in the pre-inst of a package
at a source added by the attacker). Is there any way for root to prevent
certain things from ever being aliased (and prevent shells from ever
using PATH to find them, and always use a system-wide path for those
programs).

Also, is there any chance that synaptic could be made to run its sources
list editor via sudo so that could be restricted further. It would be
nice to let my parents install and uninstall any software from sources
that I have set, but not let them change, add, or remove sources.
Actually it would be nice to set much more flexible rules for all sorts
of things in synaptic - but that would be quite a major change to synaptic.

BTW, when I first installed Ubuntu (I think it was the one before hoary,
or hoary). The sudoers file had nothing in except root ALL=(ALL) ALL
and, I think, a Defaults line. I couldn't find any way to make me able
to run administrative tools except by enabling root login to set up
sudoers. Has this been fixed in Breezy (I'm currently running Breezy),
if so how does it now work?

-- 
Tristan Wibberley

Opinions expressed are my own and do not necessarily coincide with those
of my employer, etc.

More information about the ubuntu-devel mailing list