On Wed, Apr 30, 2003 at 12:59:13AM -0500, Jesse Meyer wrote: > On Tue, 29 Apr 2003, Travis Crump wrote: > > Personally, I am constantly logged in as root on vt3 and almost never > > use 'su'. I think it was someone on this list that made me irrationally > > paranoid that someone[somehow[remember I freely admit that it is an > > irrational fear]] will run a keystroke logger on my X session and pick > > up my root password if I use su. And if I were able to use sudo to do > > the kind of things that I use root for, than so can an attacker.[it > > scares me to think of how many computers: sudo 'echo "Yes, do as I say!" > > | apt-get remove --purge libc6' : would work with and even without a > > normal user password]. > > Argh, paranoia! Its infectious. > > *quickly runs to his terminal* > > Okay, after a few tests, it seems that sudo by itself won't let any > normal redirections through, so I'm assuming that your complaint is with > the people who configure sudo in such a way that their non-root user can > run a variety of insecure packages, especially without a password. > > OTOH, even with some tests (not using echo though), I don't believe > pipes will work if passed to sudo. Even plain '' or "" quotes won't > work for sudos. From my outut: > > [dasunt@pong:~]$ sudo 'apt-get update' > sudo: apt-get update: command not found > [dasunt@pong:~]$ sudo "apt-get update" > sudo: apt-get update: command not found > [dasunt@pong:~]$ sudo apt-get update > Hit http://www.tux.org woody/main Packages [ ...snip rest ] > [dasunt@pong:~]$ sudo apt-get update|whoami > dasunt > > Was this an older bug, or a misconfiguration bug that you speak of? Did you try $ sudo sh -c 'echo "Yes, do as I say!" | apt-get remove --purge libc6' ? (I didn't; just thinking out loud :-) -- Nathan Norman - Incanus Networking mailto:nnorman@incanus.net Warning: dates in calendar are closer than they appear.
Attachment:
pgpaEF7fblpbA.pgp
Description: PGP signature