Lack of informations about the flaw of the use of sudo
Gunnar Hjalmarsson
gunnarhj at ubuntu.com
Thu Sep 22 13:25:52 UTC 2016
Hi Edgard,
Thanks for your comments.
On 2016-09-22 04:04, Edgard Schmidt wrote:
> To summarize, let's say that an attacker can execute arbitrary code
> as a normal non-root desktop user, for example by making use of a
> browser exploit. The attacker could edit the users ".bashrc" file and
> insert the following line:
> alias sudo='bash ~/.malware/fake-sudo.sh'
The use of sudo in Debian/Ubuntu is a replacement for logging in as
root, and doing so wouldn't exactly be more secure, would it? With that
said, nobody claims that the use of sudo eliminates all kinds of risks
for hostile attacks on the parts of the system which only root can
access. If the documentation - contrary to expectation - makes such a
claim somewhere, it should be changed.
I think the link which Conno Boel provided is useful. If you want to
bring your concern to the security team, please send them a note.
> 1. The official documentation and the help wiki should point out
> this issue very plainly.
Don't think so. If this would be considered a threat worth mentioning,
we should not spread the word via the docs. Security issues are
generally kept as private as possible until they have been fixed.
General advice about security aware Ubuntu use already exists. These are
two examples:
https://wiki.ubuntu.com/BasicSecurity
https://help.ubuntu.com/stable/serverguide/security.html
There is always room for improvements, though.
--
Gunnar Hjalmarsson
https://launchpad.net/~gunnarhj
More information about the ubuntu-doc
mailing list