On Wed, 30 Apr 2003, Colin Watson wrote:
> > > Okay, after a few tests, it seems that sudo by itself won't let any
> > > normal redirections through, so I'm assuming that your complaint is with
> > > the people who configure sudo in such a way that their non-root user can
> > > run a variety of insecure packages, especially without a password.
> > >
> > Did you try
> >
> > $ sudo sh -c 'echo "Yes, do as I say!" | apt-get remove --purge libc6'
> >
> > ? (I didn't; just thinking out loud :-)
>
> Or, alternatively, this would "work":
>
> echo "Yes, do as I say!" | sudo apt-get remove --purge libc6
From my output:
[dasunt@pong:~]$ sudo -k
[dasunt@pong:~]$ echo "Yes, do as I say" | sudo apt-get remove --purge abcd
Password:
[dasunt@pong:~]$ sudo sh -c 'echo "Yes, do as I say!" | apt-get remove --purge abcd'
Password:
[dasunt@pong:~]$ sudo sh -c 'echo "Yes, do as I say!" | whoami'
Sorry, user dasunt is not allowed to execute '/bin/sh -c echo "Yes, do as I say!" | whoami' as root on localhost.
Now, if my output, as long as I don't have a password already "remembered" by
sudo, these commands fail. I suppose that having a password remembered by sudo (believe its a configurable option) would be more secure...
Of course, if a password is remembered by sudo, a simple sudo apt-get --purge remove libc6 would work as well. :)
--
...crying "Tekeli-li! Tekeli-li!"... ~ HPL
icq : 34583382 | === ascii ribbon campaign ===
msn : dasunt@hotmail.com | () - against html mail
yim : tsunad | /\ - against proprietary attachments
Attachment:
pgpU8WGIqwBpx.pgp
Description: PGP signature