On 2021-08-12 12:23, Polyna-Maude Racicot-Summerside wrote:
Now if people start doing stuff they don't master than it's not privilege escalation but much more something like another manifestation of human stupidity. And this, there won't be a number of article sufficient to make people change.
[...]
This is only a article made to get people onto a website and seepublicity or whatever goal the author set. There's nothing genuine in there.
I think it's less about human stupidity than about all the knowledge you need to acquire (and retain) to securely administer a system. It is not easy. The concern expressed here is pretty much common knowledge among sysadmins of ye olde times. Of course you can abuse this, and yes it got easier recently. The boundary that sudo provides is very blurry, hard to understand and full of footguns. People need to come up with better boundaries - or in this case they might already exist. Basically you need to be able to validate the request and execute it in a secure environment. At basically every shared environment people come up with some way to allow package installation, but it's not easy to find the right instructions on how to do this properly on Debian[1]. I'm not aware of a well-trotten path for maintaining a system where users do not need root. Throw in some reluctance to deal with "newfangled things" (to establish new, maybe controversial boundaries) and you end up with every one fighting for themselves.
Now of course there's value in people having this knowledge and companies should recognize this value. But from communication and awareness we learn, no?
Kind regards Philipp Kern [1] E.g. thinking of https://debian-handbook.info/browse/stable/