gksudo potentially very insecure

Eldo Varghese poningru at ufl.edu
Wed Jul 6 08:52:33 CDT 2005 

Wouter Stomp wrote:

>I just noticed today that when I start a program which asks for your
>password in gnome (with gksudo) and then you start another program
>which uses gksudo, you have no idea at all that you have root
>priviliges and can do potentially harmful things. At the terminal, the
>timeout setting for sudo is very useful. But then you are aware of
>every command that uses sudo, as you have to type it everytime. But in
>Gnome, in the second program you open you have no clue at all that you
>are using it as a superuser. The simplest example in which things can
>go wrong is the following:
>
>1. User opens synaptic, which asks for his password
>2. User wants to open a terminal, but instead he accidentily clicks on
>root terminal, which doesn't ask for a password
>3. Average user doesn't see the difference and doesn't notice 'root'
>at the start of the prompt, and even if he did he most likely doesn't
>know what it means.
>4. And then anything can happen (rm -rf /* or whatever)
>
>At the command line, typing sudo makes you aware you are doing
>something that can be dangerous. In gnome it is having to type your
>password what tells you you are doing potentially dangerous things.
>When not asked for a password, there's no clue left.
>
>The timeout setting is nice and handy, but I think it would be better
>if you get asked for a password whenever you start a new program with
>gksudo. The timout setting could still be useful when opening the same
>program more than one time.
>
>Wouter
>
>ps. should I file a bug about this? (couldn't find one) or is there a
>reason for doing things this way?
>
>  
>
Hello all
New to this Mailing List so please pardon any faux pas.  With all this 
discussion about how to show the sudo status & the amount of time left, 
I was wondering why not put an Icon in the Notification Area that popped 
up and countsdown everytime you sudo, towards the end of the timeout 
(last 5 secs or something more appropriate) the icon flashes red every 
sec and beeps (in an unobtrusive way). Just an idea I am throwing out, 
please pick it apart.
- Eldo

More information about the ubuntu-devel mailing list