On 04/18/10 11:02, Jonathan wrote: > On Sun, 18 Apr 2010 08:29:37 +1000 > Lie Ryan <lie.1...@gmail.com> wrote: > >> sudoedit is mainly just a shortcut for "sudo $EDITOR" (plus doing a >> few things). > > sudoedit is safer then sudo because sudoedit runs as root but nano > (The editor) runs as your user. > sudoedit uses a fixed path which is compiled into the program
Yes, that's the "few things" part, sudoedit does solves a couple of security issues that you'd have if you start editor manually, probably calling it "just a shortcut" is too much undermining. >> Everything above (su,sudo,policykit,polkit) are just sugar for >> permission bits (owner,group,others+SUID,GUID); attempting to give >> finer control over the permissions or provide convenience services. > > Mess up the configuration and you may as well hand out the root > password. They're much better than manual management though, which is unless you're forty-two security wizard in one body you will get it wrong. >> Most security holes in Linux comes from a SUID program that lets >> untrusted programs into the "trusted-space". > > 53 SUID or GUID programs on my system! > Why does cdrecord have SUID set? No idea. >> I found sudo, although very handy for desktop, is a huge security >> hole. And is inadequate for any secure system. This is simply >> because if you run a program as sudo, then in the next five minute >> you start a malicious program *without* sudo; the malicious program >> can gain root access by stealing your previous sudo's timestamp >> (yes, it can steal the timestamp without being explicitly invoked >> with sudo[1]). Before running a potentially untrusted program, you >> must explicitly kill your sudo timestamp with `sudo -k` or set sudo >> to not use timestamp. Better yet, don't use sudo on secure systems. > > Wow... I never thought about that. I run sudo on my system 4 to 6 >> times a day if not more. Can tell me the setting please. Setting for the timeout? See `man sudoers` and look at timestamp_timeout. Setting for allowing program to steal timestamp? Don't worry, it's already default. > I had a quick look at man pages and Gentoo docs but I did not see it. > Gentoo sudo guide [1] could use a update about this. it was right > under my nose but I missed it... > > If some leaves they PC for 5 mins you could run > "nano ~/.bashrc" and add "export PATH=/home/user/.bin:$PATH" > then make a file called "sudo" write something to nick the password > and by it on to sudo and then clean up after it self. I believe the developers of `sudo` considered security against malicious people with physical access to the computer is out of their scope. Problem is, that means malicious people only need to trick a sudoers into running a piece of complex code and say "you're not running my script with sudo, so the script can't do no harm to system". When I first used sudo, I thought by invoking sudo for trusted program only and omitting sudo for everything else and thought the system would be secure. That's a false sense of security. As long as you're a root-sudoers, all program you run can gain root access any time they need to. They just need to daemonize and poll every few minutes for an updated timestamp. > Just for fun I did that to one of my terminal tabs, with the script > running "echo HAHA!". I once written a script that have this in the first line: if [ $UID != 0 ]; then sudo $0 quit fi # do business that requires root the script runs without asking password if I still have active timestamp from running another program. How convenient! (and makes me shivers)