sudo without password

Mon Jun 12 23:06:56 UTC 2006

Peter Garrett wrote:
> On Mon, 12 Jun 2006 21:48:04 +0200
> Alan McKinnon <alan at linuxholdings.co.za> wrote:
> 
>>> (Something just occurred to me, perhaps someone could put my mind
>>> to rest: Sudo only asks for a password once every x number of
>>> minutes. Could someone write a trojan that sits there waiting for
>>> the user to run sudo, then runs it itself right afterward,
>>> bypassing the password prompt?)
>>
>> Hmmmm, I think that is very possible:
>>
>> 1. user runs a trojan.
>> 2. trojan appends itself to .bashrc as a nohup
>> 3. trojan waits for sudo. 'ps ax | grep sudo" will do as a first and 
>> very crude cut
>> 4. ???
>> 5. profit!!!
>>
>> weak points: the trojan has to run as the user, hence using .bashrc.
>> The .bashrc entry is right there in full view
> 
> I don't think "Aunt Tillie" inspects ~/.bashrc on a regular basis ;-)
> 
> Like any trojan/malware, the perpetrator has to rely on a degree of trust
> and ignorance ( where ignorance is not intended to mean "stupidity", but
> rather a lack of knowledge).
> 
> Of course, to affect "Aunt Tiliie" the trojan would need to be very easy
> to install as well - or come from a compromised "Ubuntu" repository.
> 

Heck, nobody I know inspects their .bashrc's on every login.  And that's
all it takes.  I'm sure there are better ways of doing this, too, that
aren't as obvious.

As to getting the trojan to run, that's pretty easy.  I seem to recall
one that massmailed itself purporting to be pictures of Anna Kournikova.
 Infected millions of machines.  Just because someone switches to Linux,
doesn't mean they're necessarily going to be savvy enough to spot it.

And then, of course, there are the thousands of stupid downloadables
that I see piled up on windows machines all the time.  My father, though
he's getting on in years, is reasonably savvy with computers, but his
machine was clogged with adware and spyware to the point where it barely
functioned.  This was mostly from people forwarding things to him that
needed some browser plugin or other to view, which of course, install
other things right along with them.

Linux users have several advantages, multiple distributions makes it
harder to attack and not not having the blatantly stupid security holes
like ActiveX, and the repository system keeping signed packages
certainly helps.  That said,  one of those special video viewing things
that my father kept falling for could just as easily offer an deb or
rpm.  The user installs the deb/rpm and instant rootkit.

The question is, what do we do about it?  One idea popping around my
head is AppArmor with a "default" profile that would block off the more
sensitive areas of the system, perhaps.  Of course, this would mean that
every proper repository deb/rpm would need it's own AppArmor profile,
though they could be set up to be exceedingly generic.  I'm not so sure
it's feasible, though, and would run into significant issues for those
users that do need to install non-repo packages.  The updater systems
would have to be modified so that they wouldn't touch the AppArmor
system for any unsigned packages.  The "default" AppArmor profile would
restrict the programs themselves from modifying the AppArmor profiles,
even if it has root.

The general idea: Any program that isn't signed would be restricted.

It would be awfully tricky from the distribution perspective, but that's
the road we should probably be thinking down: How to stop a malicious
program once it's already on the system...