sudo without password

Alan McKinnon alan at linuxholdings.co.za
Tue Jun 13 22:52:10 UTC 2006


On Tuesday 13 June 2006 02:09, Florian Diesch wrote:
> Alan McKinnon <alan at linuxholdings.co.za> wrote:

> > Which raises the question: what _will_ work? I believe this
> > question needs some attention and a solution now, before the
> > malware problem hits Linux in a big way (which it surely will).
>
> As long as windows is such an easy target I don't think this will
> happen.
>
> And malware needs critical bugs that aren't fixed for some time or
> a bad user interface design that makes it easy to fool the user
> about what's happening or make him ignore warnings. In both cases
> Ubuntu is much better than windows

Agreed, but Ubuntu is also not immune to this either. What started 
this off was a question about could a trojan watch for the user 
running sudo, then piggy back it while the ticket was still valid. 
Now, I'm all for strong walls, but I'd like additional defenses if a 
trojan does get through.

Or put another way, the magic dwarf doors keep the 800 pound cave 
troll out of Moria, but IF it does get through the door via the air 
shaft I'd like a bit more firepower to hand than just Aragorn's sword

> > We know that popup dialogs ala ZoneAlarm are better than nothing,
> > but
>
> IMHO they are much worse than nothing as they interupt people's
> work and teach them to click on everything that's not fast enought
> to go away.
>
> Most normal users just don't have the knowledge to decide whether a
> program should be allowed to open a network connection or listen to
> incoming connections so they just say "Yes".
>
> If your system is infected by malware it's to late. The way to go
> is to prevent the infection.

I hear your logic but I think it's faulty. No defense is impenetrable, 
and if it is penetrated, many users won't know about it. Additional 
effort expended to contain possible damage once the defenses are 
breached as a good thing imho.
>
> > are easy to ignore. We know that Ubuntu can easily install a
> > well-configured system suitable for a desktop, but the Achilles
> > heel is stuff installed afterwards.
>
> People should know that it may be dangerous to install stuff from
> obscure sources. They should know that most of the software they
> want is available from their distribution.

Requiring that is like asking them to take ZoneAlarm seriously and 
read all the dialogs for ever more. You can't have it both ways, if 
they ignore the firewall they will ignore your warnings about not 
installing trusted programs. I their friend Joe sends them a trojan 
in a email, they will install it. Why because? Because Joe is 
*trusted* therefore the software he sent must be trusted, right?

Us geeks find this hard to grok, as the user makes assumptions that we 
think are idiotic. I talked to a bunch of users once about this and 
realized that very few of them had ever considered that the computer 
could be running trojan code in the background. Their viewpoint: "How 
can the computer possibly be sending out 10,000 spam emails a day? I 
didn't click on anything that sends mail!"


-- 
If only me, you and dead people understand hex, 
how many people understand hex?

Alan McKinnon
alan at linuxholdings dot co dot za
+27 82, double three seven, one nine three five




More information about the ubuntu-users mailing list