Re Kubuntu 64bit, several issues
Daniel Stone
daniel at fooishbar.org
Sun Aug 14 21:37:57 CDT 2005
On Sun, Aug 14, 2005 at 06:05:44PM +0100, Tristan Wibberley wrote:
> Daniel Stone wrote:
> > On Sun, Aug 14, 2005 at 11:30:49AM +0100, Tristan Wibberley wrote:
> >>Something I'm concerned about sudo, and this is relevant for su also. If
> >>my user account is compromised, an attacker that gets to run a program
> >>locally through, say, a zlib bug, could alias sudo to grab my password,
> >>unalias sudo, then fail. [...]
> >
> > If someone has access to your account, then you've already lost. They
> > can keylog everything.
>
> Surely when running su and sudo, the console input is protected from
> keylogging?
How do you 'protect from keylogging'? Surely, if you can detect the
presence of a keylogger, the prudent thing to do is to disable it ...
I'm talking about a Trojan program here, not a feature in the OS that
lets you say 'please keylog sudo now'.
> > , combined with a screenscrape to always be able
> > to see *exactly* what you're doing, they can insert in whatever they
> > like ... basically, if someone has your account, you're totally
> > screwed, and there's no way to prevent that. They have effectively just
> > become you.
>
> I think that is a big bug. When I type my password at the console for
> sudo or su or gksu, it proves it is me at the keyboard, so input on that
> keyboard can be trusted for a while. That is very different from the
> attacker being me. So they are not the same, and logically something
> *could* be done about it.
The computer cannot tell the difference between inputs. It's just a
computer. Once someone has your account, they effectively become you.
That's why we have passwords, rather than the computer saying 'oh, hey
Daniel, what's up?' when I sit down at it.
More information about the ubuntu-devel
mailing list