[ec2-beta] document: EC2 Ubuntu sudo Guide
Soren Hansen
soren at ubuntu.com
Tue Mar 10 16:40:22 GMT 2009
On Mon, Mar 09, 2009 at 08:44:59AM +1300, Jim Cheetham wrote:
>> Except that 'sudo su' works and that steps right past all the
>> logging.
> No, 'sudo su' (and 'sudo -i' 'sudo -s' 'sudo /bin/sh' etc) all log the
> fact that user became root at a particular time.
Unless the "sudo -s" is followed by "vi /var/log/auth.log" and the
malicious user removes any trace that this event ever occurred. Or, if
you're doing remote logging, "sudo -s" might be followed by "cp /bin/sh
/home/eve/sh ; chgrp eve /home/eve/sh ; chmod u+s /home/eve/sh" and then
your malicious user has a back door that she can use going forward.
Don't get me wrong. I'm very much in favour of using sudo all over the
place and am happy that Ubuntu has done so for this long. However, it
only really works when in the hands of trusted people.
> Even better, the public machine with the Elastic IP would be the only
> machine capable of receiving connections from the Internet; all the
> others would be talking on the private address space/second interface,
> which only routes traffic within the EC2 space.
>
> Of course, you still shouldn't trust the population of EC2 machines to
> be any less dangerous than the Internet itself; it's just that there
> are less of them, and consequently fewer compromised machines in
> there.
They don't even need to be compromised. Hackers can start EC2 instances,
too. :)
--
Soren Hansen |
Lead Virtualisation Engineer | Ubuntu Server Team
Canonical Ltd. | http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 315 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/mailman/private/ec2/attachments/20090310/dfb8f1cd/attachment-0002.pgp
More information about the Ec2-beta
mailing list