Re: If you care about debian's security read this
>>>>> "Gustavo" == Gustavo Noronha Silva <kov@debian.org> writes:
Gustavo> this is my sudoers line:
Gustavo> kov ALL = (root) NOPASSWD: /usr/sbin/chroot, /usr/sbin/pbuilder, PASSWD: /usr/bin/apt-get
Gustavo> it means that 'kov' from ALL hosts = allowed to run as
Gustavo> root without being asked for a password commands chroot,
Gustavo> pbuilder and is allowed to run as root after being asked
Gustavo> *kov's* password the program apt-get
Gustavo> so, notice that sudo never asks the root password and
Gustavo> with that sudoers line my user cannot run /bin/sh
Cynicly, I'd say "true, unless one of those programs has an
exploitable buffer overrun, which is somewhat possible since often
enough the programmer thinks it won't be run by a non-root user as
root anyway, so why bother with the complexity of overrun protection,
since if root runs it he's already root". But that's beside the
point, of course, isn't it?
Gustavo> now, for gnome-sudo to run your user needs to be able to
Gustavo> run /usr/lib/gnome-sudo/gnome-sudo-helper with the
Gustavo> "target user" (root, in this case)
Gustavo> but gnome-sudo-helper is a script that calls any command
Gustavo> you ask it to... so having it on /etc/sudoers is the same
Gustavo> as making /bin/sh setuid... or replacing the user's uid
Gustavo> with '0'... as Joey Hess said it is easier to run gnome
Gustavo> as root if you are to use gnome-sudo
Great. What school's computers is this installed on? (And wait
until I reprogram the keyboards! SAK won't do squat.)
Gustavo> I guess that when an admin installs a package it wants it
Gustavo> to work, if it comes from Debian the admin may blindly
Gustavo> trust the package and open that root whole
Yes, Trust Us.
Gustavo> I strongly recommend that you use xsu instead... it is
Gustavo> not a root hole...
(rhetorical) I wonder why they wrote gnome-sudo if there's already an
"xsu"?
--
mailto: (Karl M. Hegbloom) karlheg@microsharp.com
Free the Software http://www.debian.org/social_contract
http://www.microsharp.com
phone://USA/WA/360-260-2066
Reply to: