On Sun, May 22, 2022 at 03:32:22PM -0400, The Wanderer wrote: > On 2022-05-22 at 14:53, Charles Kroeger wrote: > > >> There is no silver bullet that makes your system secure. > > > > I get a login shell with $su --login > > > > I don't have sudo installed > > > > is there something heretical about that, I should know? > > Not heretical, but - if something has compromised your user environment, > it could have replaced the command 'su' with a function which captures > the password you type [...] Less antagonistic, but also of practical importance -- sudo lets you acquire usage patterns which improve your chances to not fat-finger things. As others have said, sudo can be subverted (nearly) as easily as su can. IOW, if someone has control of your execution environment and if you can reach privilege escalation from there, all bets are up. [...] > (The old story about hacking the source of gcc to detect when it's > compiling /bin/login and insert a backdoor, and to detect when it's > compiling gcc and insert code to make it do both of these > detect-and-insert operations [...] That would be Ken Thompson's 1983 Turing Award lecture [1]. Much recommended. But not all is lost. David A. Wheeler (a free software and Linux regular, BTW) has taken on this [2]. Here's Bruce Schneier on Wheeler's paper [3]. Cheers ]1] https://dl.acm.org/doi/10.1145/358198.358210 [2] https://dwheeler.com/trusting-trust/ [3] https://www.schneier.com/blog/archives/2006/01/countering_trus.html -- tomás
Attachment:
signature.asc
Description: PGP signature