Re Kubuntu 64bit, several issues

Matt Zimmerman mdz at ubuntu.com
Sun Aug 14 12:28:29 CDT 2005


On Sun, Aug 14, 2005 at 06:05:44PM +0100, Tristan Wibberley wrote:

> Surely when running su and sudo, the console input is protected from
> keylogging?

No.  Consider that if your user account is compromised, you can't even be
sure that you are running su or sudo, and not a trojan.

> Otherwise there is little point to requiring proof that a user running
> sudo synaptic is the real user. That is the point of sudo, I can do my
> normal web browsing on my normal account and trust that an attacker can't
> screw the system (bugs in the kernel or setuid programs excepted), if this
> is not true administration shouldn't be available (or at least not
> recommended) through sudo, you should log out and log into an
> administration account that just has administration functions.

It is a tradeoff; if you prefer to administer your system this way, simply
set a root password and remove yourself from the admins group.

> Which makes me think of something else. The password caching of sudo is
> supposed to be safe because the user that typed the password is expected
> to still be nearby, which only helps when somebody is running sudo from
> the console - if the attacker is running programs over the network a
> cached password lets an attacker do stuff without anybody being able to
> tell and without anything to stop it.

That's why sudo (as configured by default in Ubuntu) only allows the cached
ticket to be used on the same terminal.

> > , combined with a screenscrape to always be able
> > to see *exactly* what you're doing, they can insert in whatever they
> > like ... basically, if someone has your account, you're totally
> > screwed, and there's no way to prevent that.  They have effectively just
> > become you.
> 
> I think that is a big bug. When I type my password at the console for
> sudo or su or gksu, it proves it is me at the keyboard, so input on that
> keyboard can be trusted for a while. That is very different from the
> attacker being me. So they are not the same, and logically something
> *could* be done about it.

See above.

-- 
 - mdz



More information about the ubuntu-devel mailing list