sudo without password

Peter Garrett peter.garrett at
Mon Jun 12 22:11:50 UTC 2006

On Mon, 12 Jun 2006 21:48:04 +0200
Alan McKinnon <alan at> wrote:

> > (Something just occurred to me, perhaps someone could put my mind
> > to rest: Sudo only asks for a password once every x number of
> > minutes. Could someone write a trojan that sits there waiting for
> > the user to run sudo, then runs it itself right afterward,
> > bypassing the password prompt?)
> Hmmmm, I think that is very possible:
> 1. user runs a trojan.
> 2. trojan appends itself to .bashrc as a nohup
> 3. trojan waits for sudo. 'ps ax | grep sudo" will do as a first and 
> very crude cut
> 4. ???
> 5. profit!!!
> weak points: the trojan has to run as the user, hence using .bashrc.
> The .bashrc entry is right there in full view

I don't think "Aunt Tillie" inspects ~/.bashrc on a regular basis ;-)

Like any trojan/malware, the perpetrator has to rely on a degree of trust
and ignorance ( where ignorance is not intended to mean "stupidity", but
rather a lack of knowledge).

Of course, to affect "Aunt Tiliie" the trojan would need to be very easy
to install as well - or come from a compromised "Ubuntu" repository.

[Apologies to all persons or possible relatives named Tillie who might have
PhD s in Computer Science or related subjects ;-)  ]



"Hyperlinks subvert hierarchy."

-The Cluetrain Manifesto

More information about the ubuntu-users mailing list