Re: Is this why you shouldn't log in as root?
On Wed, Apr 30, 2003 at 02:16:34AM -0500, Nathan E Norman wrote:
> On Wed, Apr 30, 2003 at 12:59:13AM -0500, Jesse Meyer wrote:
> > On Tue, 29 Apr 2003, Travis Crump wrote:
> > > Personally, I am constantly logged in as root on vt3 and almost never
> > > use 'su'. I think it was someone on this list that made me irrationally
> > > paranoid that someone[somehow[remember I freely admit that it is an
> > > irrational fear]] will run a keystroke logger on my X session and pick
> > > up my root password if I use su. And if I were able to use sudo to do
> > > the kind of things that I use root for, than so can an attacker.[it
> > > scares me to think of how many computers: sudo 'echo "Yes, do as I say!"
> > > | apt-get remove --purge libc6' : would work with and even without a
> > > normal user password].
[...]
> > Okay, after a few tests, it seems that sudo by itself won't let any
> > normal redirections through, so I'm assuming that your complaint is with
> > the people who configure sudo in such a way that their non-root user can
> > run a variety of insecure packages, especially without a password.
> >
> > OTOH, even with some tests (not using echo though), I don't believe
> > pipes will work if passed to sudo. Even plain '' or "" quotes won't
> > work for sudos. From my outut:
[...]
> Did you try
>
> $ sudo sh -c 'echo "Yes, do as I say!" | apt-get remove --purge libc6'
>
> ? (I didn't; just thinking out loud :-)
Or, alternatively, this would "work":
echo "Yes, do as I say!" | sudo apt-get remove --purge libc6
Cheers,
--
Colin Watson [cjwatson@flatline.org.uk]
Reply to: