On Tue, 29 Apr 2003, Travis Crump wrote: > Personally, I am constantly logged in as root on vt3 and almost never > use 'su'. I think it was someone on this list that made me irrationally > paranoid that someone[somehow[remember I freely admit that it is an > irrational fear]] will run a keystroke logger on my X session and pick > up my root password if I use su. And if I were able to use sudo to do > the kind of things that I use root for, than so can an attacker.[it > scares me to think of how many computers: sudo 'echo "Yes, do as I say!" > | apt-get remove --purge libc6' : would work with and even without a > normal user password]. Argh, paranoia! Its infectious. *quickly runs to his terminal* Okay, after a few tests, it seems that sudo by itself won't let any normal redirections through, so I'm assuming that your complaint is with the people who configure sudo in such a way that their non-root user can run a variety of insecure packages, especially without a password. OTOH, even with some tests (not using echo though), I don't believe pipes will work if passed to sudo. Even plain '' or "" quotes won't work for sudos. From my outut: [dasunt@pong:~]$ sudo 'apt-get update' sudo: apt-get update: command not found [dasunt@pong:~]$ sudo "apt-get update" sudo: apt-get update: command not found [dasunt@pong:~]$ sudo apt-get update Hit http://www.tux.org woody/main Packages [ ...snip rest ] [dasunt@pong:~]$ sudo apt-get update|whoami dasunt Was this an older bug, or a misconfiguration bug that you speak of? Speaking of irrational paranoia, just wait until someone hijacks your session on vt3! -- ...crying "Tekeli-li! Tekeli-li!"... ~ HPL icq : 34583382 | === ascii ribbon campaign === msn : dasunt@hotmail.com | () - against html mail yim : tsunad | /\ - against proprietary attachments
Attachment:
pgpuOGTYpYeUH.pgp
Description: PGP signature