On Wed, 30 Apr 2003, Colin Watson wrote: > > > Okay, after a few tests, it seems that sudo by itself won't let any > > > normal redirections through, so I'm assuming that your complaint is with > > > the people who configure sudo in such a way that their non-root user can > > > run a variety of insecure packages, especially without a password. > > > > > Did you try > > > > $ sudo sh -c 'echo "Yes, do as I say!" | apt-get remove --purge libc6' > > > > ? (I didn't; just thinking out loud :-) > > Or, alternatively, this would "work": > > echo "Yes, do as I say!" | sudo apt-get remove --purge libc6 From my output: [dasunt@pong:~]$ sudo -k [dasunt@pong:~]$ echo "Yes, do as I say" | sudo apt-get remove --purge abcd Password: [dasunt@pong:~]$ sudo sh -c 'echo "Yes, do as I say!" | apt-get remove --purge abcd' Password: [dasunt@pong:~]$ sudo sh -c 'echo "Yes, do as I say!" | whoami' Sorry, user dasunt is not allowed to execute '/bin/sh -c echo "Yes, do as I say!" | whoami' as root on localhost. Now, if my output, as long as I don't have a password already "remembered" by sudo, these commands fail. I suppose that having a password remembered by sudo (believe its a configurable option) would be more secure... Of course, if a password is remembered by sudo, a simple sudo apt-get --purge remove libc6 would work as well. :) -- ...crying "Tekeli-li! Tekeli-li!"... ~ HPL icq : 34583382 | === ascii ribbon campaign === msn : dasunt@hotmail.com | () - against html mail yim : tsunad | /\ - against proprietary attachments
Attachment:
pgpU8WGIqwBpx.pgp
Description: PGP signature