Misconfiguration of sudo is insecure (Was: Sudo even more
secure)
Eric Feliksik
milouny at gmx.net
Wed Mar 22 22:06:00 GMT 2006
Tristan Wibberley wrote:
> Does it *run* your bashrc?
`sudo -s' does. This means that if I can comprimise your user account
(e.g. you run one ugly script as sudo-enabled user), I'll be root next
time you use `sudo -s'. Maybe by manipulating some user-settings I can
also make gksudo do this.
https://wiki.ubuntu.com/RootSudo seems to admit this. So in fact: if the
admin user (sudo-enabled user) account is comprimised, the whole system is.
I wonder why people worked so hard to make gksudo lock the X stuff
(other programs listening to the keyboard, etc). Apparently that's just
"risk reducing", not really taking away a security problem?
Eric
More information about the ubuntu-devel
mailing list