❦ 12 August 2021 11:38 +05, Andrey Rahmatullin: >> >> I just ran across this article >> >> https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I tested >> >> the attacks on Debian 11 and they work successfully giving me a root >> >> shell prompt. >> > I don't think calling this "privilege escalation" or "attack" is correct. >> > The premise of the post is "the user should not be a root/admin user but >> > has been assigned sudo permissions to run the package manager" and one >> > doesn't really need a long article to prove that it's not secure. >> >> I think the article is interesting nonetheless. Some people may think >> that granting sudo on apt is OK. > Some people may think granting sudo to vim is OK, but we need to educate > in general that some programs can run other programs, and so restricted > sudo is not as restricted as it sounds.
That's the point of the article, isn't it? Your example is how I got fast-forwarded admin when I was at school/uni. So, it's unlikely to change. -- Habit is habit, and not to be flung out of the window by any man, but coaxed down-stairs a step at a time. -- Mark Twain, "Pudd'nhead Wilson's Calendar