Hi, On 2021-08-12 2:25 a.m., Brian Thompson wrote: > On Thu, 2021-08-12 at 11:19 +0500, Andrey Rahmatullin wrote: >> On Thu, Aug 12, 2021 at 01:12:37AM -0500, Brian Thompson wrote: >>> Would you agree that there is an issue with sudo access that is >>> enabled >>> by default on most Debian and Debian-based distributions? The bug >>> may >>> not be in apt, but it definitely lives somewhere. >> Do you think "sudo access" itself is a "privilege escalation attack"? > > I do not. I think that the possibility of dangerously configured sudo > access is a vulnerability. > So this is not a *privilege escalation attack* but more a warning to all user that "using sudo can be used to do stuff as root" ? We are so lucky that someone wrote a article on the subject and you shared it with us. But this is not a privilege escalation attack, it's something that is planned and known. 1. Read apt documentation, it is said that script will be executed as root. 2. Read sudo documentation, it is said that allowing user access to some program as root should be as limited as possible. 3. Read sudo documentation, the goal is allowing to run a root. Now if people start doing stuff they don't master than it's not privilege escalation but much more something like another manifestation of human stupidity. And this, there won't be a number of article sufficient to make people change. If I'd have apt access under sudo and would like root access, this would be the last method I'd use. There's so many more, starting by modifying a existing package and adding a backdoor to it, the updating the system. Adding SSH keys, adding a line to sudoers, etc. This is only a article made to get people onto a website and see publicity or whatever goal the author set. There's nothing genuine in there. -- Polyna-Maude R.-Summerside -Be smart, Be wise, Support opensource development
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature