Re: sudo security Was: Reporting missing package during install
Joel Rees writes:
> On Wed, Dec 11, 2013 at 5:39 PM, Gian Uberto Lauri <saint@eng.it> wrote:
> > [...]
> > Maybe I failed expressing that I am not completely against sudo, there
> > are several good sudo usages and even "caching" the authentication has
> > its very legitimate uses, and the -k and -K flags help a lot in this,
> > even if some kind of "start caching now" option could be nice...
> > Someting to work on...
>
> Well, I'm beginning to see that what has you worried is that I might
> use sudo and then wander off to the facilities without issuing a sudo
> -K. And then the ninjas
Ninja code! Non ninja person.
> I'll admit that my son could be used as a substitute for a ninja in
> such a scenario. But then, it would be easier for the attacker to talk
> him into dropping a renamed keylogger on my desktop than to talk him
> into dropping a script on my desktop and running it with sudo. The
> keylogger postpones the result, but the probability of success is
> greater.
If you do use only code from the official repository you could be
reasonably safe (even if there is a reaction time between the attack
and Debian response, and in that time you could be fall victim of the
attack).
But if someone is lured into running some code... Or something nasty
slips into a not-this-controlled repository?
I am thinking about code that seems useful and innocent, and maybe
does useful and innocent work too.
And then it taints your environment. Does an extra in your .profile
line with blank(s) worry you?
Ah, differently from the keylogger, this attack is automatic and more
suitable for a "massive capture of zombies" than logging the
passwords.
--
/\ ___ Ubuntu: ancient
/___/\_|_|\_|__|___Gian Uberto Lauri_____ African word
//--\| | \| | Integralista GNUslamico meaning "I can
\/ coltivatore diretto di software not install
già sistemista a tempo (altrui) perso... Debian"
Warning: gnome-config-daemon considered more dangerous than GOTO
Reply to: