[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sudo security Was: Reporting missing package during install

On Wed, Dec 11, 2013 at 5:39 PM, Gian Uberto Lauri <saint@eng.it> wrote:
> [...]
> Maybe I failed expressing that I am not completely against sudo, there
> are several good sudo usages and even "caching" the authentication has
> its very legitimate uses, and the -k and -K flags help a lot in this,
> even if some kind of "start caching now" option could be nice...
> Someting to work on...

Well, I'm beginning to see that what has you worried is that I might
use sudo and then wander off to the facilities without issuing a sudo
-K. And then the ninjas sneak into my house while I'm occupied with
something else and use the cached credentials to give themselves a
login name and password.

I'll admit that my son could be used as a substitute for a ninja in
such a scenario. But then, it would be easier for the attacker to talk
him into dropping a renamed keylogger on my desktop than to talk him
into dropping a script on my desktop and running it with sudo. The
keylogger postpones the result, but the probability of success is
greater.

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.
Reply to: