Re Kubuntu 64bit, several issues

Daniel Stone daniel at fooishbar.org
Sun Aug 14 21:52:05 CDT 2005


On Sun, Aug 14, 2005 at 11:55:49PM +0100, Tristan Wibberley wrote:
> However, my fear in that respect has been
> shown to be unfounded since, once you have run a real system sudo
> binary, the password cannot be snooped.

Assuming you have ultimate trust in your terminal emulator, the 70-odd
shared libraries it currently *directly* depends on, the 17 or so
client-side X libraries that would be involved, etc.

Oh, and did I mention that anyone running as your user has full access
to your X session?  They're listening on the wire for key events, and
watching for the word 'sudo'.

Whoops, suddenly anyone running under your UID has your password.

> Then I think you would need only the terminal emulators (or relevant
> parts thereof) and the X server to be privileged, running as a different
> user, or otherwise unsnoopable.

'Otherwise unsnoopable' is a nice idea, but utterly technically
unfeasible.

As Matt said, you cannot protect yourself from yourself.  And once
someone has access to your account, you are entirely equivalent, as far
as the computer is concerned.



More information about the ubuntu-devel mailing list