Ralf Mardorf writes: > http://www.paritynews.com/2013/03/05/762/sudo-authentication-bypass-vulnerability-emerges/
The attack described in the post is the kind of hijack I thought about. > But note! The Chaos Computer Club does publish howtos using sudo on > Linux: http://muc.ccc.de/uberbus:ubd > > I don't think the Chaos Computer Club folks would write a howto using > sudo, if sudo would be a security risk. Firs of all, is not sudo itself the problem (or else I would not use it): is how you *USE* it, and this includes *CONFIGURING*. If you give "Universa Universis Sudo Libertas"[*] - that is 'username ALL=(ALL) ALL', then the attacker will have unlimited freedom. If your configuration limits the use of sudo, then the attacker opportunities will be limited too. The use of sudo like in the howto you quote requires all the commands used to be permitted by the policies in /etc/sudoers. (Actually the tutorial seems to suggest the 'username ALL=(ALL) ALL' sudo configuration) If I were an attacker using the credential hijack, I will be more than happy to have "cp" available for use with sudo. May I suggest: cp /etc/shadow . vi shadow (do some nasty thing) cp shadow /etc/shadow Note: this is an example of a non stealty attack. A stealty attack would replace a sensible binary without even changing its timestamp. ([*] sorry folks, could not resist paraphrase my university motto that means "Complete on all thing the freedom of Padua") -- /\ ___ Ubuntu: ancient /___/\_|_|\_|__|___Gian Uberto Lauri_____ African word //--\| | \| | Integralista GNUslamico meaning "I can \/ coltivatore diretto di software not install giĆ sistemista a tempo (altrui) perso... Debian" Warning: gnome-config-daemon considered more dangerous than GOTO -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/21161.32488.405284.351...@mail.eng.it
