[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sudo security Was: Reporting missing package during install

Bob Proulx writes:
 > Right.  Because normal users can't change the system time.  

Sorry, wrong. With 'folk ALL=(ALL) ALL', user folk can run as root ANY
program including 'date -s'. Or at least 'sudo bash', and then live
happy with a shell executed with the root id.

If your /etc/sudoers contains 'yourusername ALL=(ALL) ALL' try running

sudo date 20000101

and feel younger ;)

 > If they
 > could other attacks would also be possible.

Since they can change the date...

-- 
 /\           ___                                    Ubuntu: ancient
/___/\_|_|\_|__|___Gian Uberto Lauri_____               African word
  //--\| | \|  |   Integralista GNUslamico            meaning "I can
\/                 coltivatore diretto di software       not install
     già sistemista a tempo (altrui) perso...                Debian"

Warning: gnome-config-daemon considered more dangerous than GOTO
Reply to: