Misconfiguration of sudo is insecure (Was: Sudo even more secure)

Eric Feliksik milouny at gmx.net
Wed Mar 22 22:06:00 GMT 2006

Tristan Wibberley wrote:
> Does it *run* your bashrc?

`sudo -s' does. This means that if I can comprimise your user account 
(e.g. you run one ugly script as sudo-enabled user), I'll be root next 
time you use `sudo -s'. Maybe by manipulating some user-settings I can 
also make gksudo do this.

https://wiki.ubuntu.com/RootSudo seems to admit this. So in fact: if the 
admin user (sudo-enabled user) account is comprimised, the whole system is.

I wonder why people worked so hard to make gksudo lock the X stuff 
(other programs listening to the keyboard, etc). Apparently that's just 
"risk reducing", not really taking away a security problem?


More information about the ubuntu-devel mailing list