Le 29/07/2015 16:35, a...@gulbrandsen.priv.no a écrit :
Every last problem of sudo is taken seriously? Did you know that if
someone has limited access, e.g. the right to install standard
packages, then it is easy to leverage that to get complete access.
Various packages run programs in $PATH as root, Firefox comes to mind,
so just prepare $PATH and sudo apt-get install firefox.
Sudo leaves the user's $PATH and the rest is just a matter of finding
the right exploit.
Was open for years, may still be open.
Arnt
I don't understand the preventions against sudo. It is just up to
the administrator to take care, like for everything.
Wether execution of the command is allowed by sudo, by a setuid bit
or by policykit does not change the result. Sudo is simply the most
versatile method to allow/disallow actions, IMHO far easier to configure
than policykit. Don't forget that allowed commands may (should) be
specified with their absolute path, therefore bypassing PATH. It is
better than having a specialized daemon for this and that, because it
keeps everything configured in one well known file.
In the case of mounting usb sticks, this applies to a personal
computer, where the owner is also the administrator. For conveniency, a
limited list of actions may be allowed without password, like mounting a
usb key.
Didier
_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
