On Tue, Oct 31, 2000 at 06:17:17PM +0100, Peter Hugosson-Miller wrote: > sounds interesting to any other newbies, just do the following: > > $su > Password: > lynx -source http://go-gnome.com/ | sh this is the most horrifying thing i have ever seen suggested. this is even worse then Microsoft's famous mail client. how much do you trust your DNS servers? how sure are you that that is the right URL? wouldn't a case of `typosquating' be interesting here. how sure are you that all the routers between you and that server are legit? are there any compromised squid proxies along the line? (some of these could also be said for using http with apt-get, but still downloading packages and executing arbitrary shell code as root right off a web site are two very different things IMO) see BugTraq archives for other more detailed explanations why this is the most evil thing since sliced Outlook. they even suggest configuring firewalls to block such things. if your still interested in using such methods i recommend you set your root password null and add this line to your /etc/inetd.conf and run /etc/init.d/inetd reload: telnet stream tcp nowait root /bin/sh sh -i note to anyone who actually installs that inetd line, please stop using computers immediatly!!! if you really want to continue using computers then by all means hire someone reputable to admin your machine, you should NOT know the root password! </rant> -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgp8u_1_UWKoB.pgp
Description: PGP signature