On Fri, Jun 14, 2013 at 3:48 AM, Νικόλαος Κούρας <supp...@superhost.gr> wrote: > On 13/6/2013 8:27 μμ, Zero Piraeus wrote: >> >> : >> >>> But iam not offering Steven full root access, but restricted user level >>> access. Are you implying that for example one could elevate his >>> privileges >>> to root level access form within a normal restricted user account? >> >> >> I am implying that your demonstrated lack of ability means that *you >> don't know* what Steven or anyone else could do with user-level >> access. Elsewhere on this list, you've been shown that you're >> publishing database passwords to the whole world in plaintext. Who >> knows what other mistakes you've made? Who knows how >> $STRANGER_YOU_TRUST_THIS_WEEK could exploit your (proven to be >> insecure) setup if they had a mind to? >> >>> I trust him. > > > You are right, but i still believe Stevn would not act maliciously in the > server. He proved himself very helpfull already.
You thought that about me, too. (And you were still correct. I did not act maliciously, I just didn't do what you thought I'd do.) By the time you know what someone will do with your server, it is too late. And remember, I made it really obvious what I'd done; someone else may well not. Oh, and as to privilege escalation... there have been exploits found in various applications, but the biggest one *ever* is the social attack. It'd be VERY easy for Steven to get access, put a file in his home directory, ask you to run it as root, and give himself full access. And how would you know what that script does? You are incompetent at managing a Linux system. You would be compromised faster than an unpatched XP. ChrisA -- http://mail.python.org/mailman/listinfo/python-list
