| 1 |
On 04/18/10 11:02, Jonathan wrote: |
| 2 |
> On Sun, 18 Apr 2010 08:29:37 +1000 |
| 3 |
> Lie Ryan <lie.1296@×××××.com> wrote: |
| 4 |
> |
| 5 |
>> sudoedit is mainly just a shortcut for "sudo $EDITOR" (plus doing a |
| 6 |
>> few things). |
| 7 |
> |
| 8 |
> sudoedit is safer then sudo because sudoedit runs as root but nano |
| 9 |
> (The editor) runs as your user. |
| 10 |
> sudoedit uses a fixed path which is compiled into the program |
| 11 |
|
| 12 |
Yes, that's the "few things" part, sudoedit does solves a couple of |
| 13 |
security issues that you'd have if you start editor manually, probably |
| 14 |
calling it "just a shortcut" is too much undermining. |
| 15 |
|
| 16 |
>> Everything above (su,sudo,policykit,polkit) are just sugar for |
| 17 |
>> permission bits (owner,group,others+SUID,GUID); attempting to give |
| 18 |
>> finer control over the permissions or provide convenience services. |
| 19 |
> |
| 20 |
> Mess up the configuration and you may as well hand out the root |
| 21 |
> password. |
| 22 |
|
| 23 |
They're much better than manual management though, which is unless |
| 24 |
you're forty-two security wizard in one body you will get it wrong. |
| 25 |
|
| 26 |
>> Most security holes in Linux comes from a SUID program that lets |
| 27 |
>> untrusted programs into the "trusted-space". |
| 28 |
> |
| 29 |
> 53 SUID or GUID programs on my system! |
| 30 |
> Why does cdrecord have SUID set? |
| 31 |
|
| 32 |
No idea. |
| 33 |
|
| 34 |
>> I found sudo, although very handy for desktop, is a huge security |
| 35 |
>> hole. And is inadequate for any secure system. This is simply |
| 36 |
>> because if you run a program as sudo, then in the next five minute |
| 37 |
>> you start a malicious program *without* sudo; the malicious program |
| 38 |
>> can gain root access by stealing your previous sudo's timestamp |
| 39 |
>> (yes, it can steal the timestamp without being explicitly invoked |
| 40 |
>> with sudo[1]). Before running a potentially untrusted program, you |
| 41 |
>> must explicitly kill your sudo timestamp with `sudo -k` or set sudo |
| 42 |
>> to not use timestamp. Better yet, don't use sudo on secure systems. |
| 43 |
> |
| 44 |
> Wow... I never thought about that. I run sudo on my system 4 to 6 |
| 45 |
>> times a day if not more. Can tell me the setting please. |
| 46 |
|
| 47 |
Setting for the timeout? See `man sudoers` and look at |
| 48 |
timestamp_timeout. Setting for allowing program to steal timestamp? |
| 49 |
Don't worry, it's already default. |
| 50 |
|
| 51 |
> I had a quick look at man pages and Gentoo docs but I did not see it. |
| 52 |
> Gentoo sudo guide [1] could use a update about this. it was right |
| 53 |
> under my nose but I missed it... |
| 54 |
> |
| 55 |
> If some leaves they PC for 5 mins you could run |
| 56 |
> "nano ~/.bashrc" and add "export PATH=/home/user/.bin:$PATH" |
| 57 |
> then make a file called "sudo" write something to nick the password |
| 58 |
> and by it on to sudo and then clean up after it self. |
| 59 |
|
| 60 |
I believe the developers of `sudo` considered security against malicious |
| 61 |
people with physical access to the computer is out of their scope. |
| 62 |
Problem is, that means malicious people only need to trick a sudoers |
| 63 |
into running a piece of complex code and say "you're not running my |
| 64 |
script with sudo, so the script can't do no harm to system". |
| 65 |
|
| 66 |
When I first used sudo, I thought by invoking sudo for trusted program |
| 67 |
only and omitting sudo for everything else and thought the system would |
| 68 |
be secure. That's a false sense of security. As long as you're a |
| 69 |
root-sudoers, all program you run can gain root access any time they |
| 70 |
need to. They just need to daemonize and poll every few minutes for an |
| 71 |
updated timestamp. |
| 72 |
|
| 73 |
> Just for fun I did that to one of my terminal tabs, with the script |
| 74 |
> running "echo HAHA!". |
| 75 |
|
| 76 |
I once written a script that have this in the first line: |
| 77 |
|
| 78 |
if [ $UID != 0 ]; then |
| 79 |
sudo $0 |
| 80 |
quit |
| 81 |
fi |
| 82 |
# do business that requires root |
| 83 |
|
| 84 |
the script runs without asking password if I still have active timestamp |
| 85 |
from running another program. How convenient! (and makes me shivers) |
Archives