On Thu, Feb 03, 2005 at 03:07:44PM -0800, Stewart Stremler wrote: > begin quoting Lan Barnes as of Thu, Feb 03, 2005 at 01:07:19PM -0800: > > > Stewart Stremler wrote: > > > > > > >-Stewart "chmod a+x virus.sh ; mv virus.sh coolstuff.runme" Stremler > > > > And coolstuff.runme will, at best, run as user apache, so tell me again > > how it owns the box. > > No, it'll run as Aunt Tillie. > > If there are any *local exploits*, it can try for those, but that's > not necessary. > > Which means it has access to her email address book and email archive, > which gives it a target population to try to infect. Access to your > data is sufficient to be a cause of concern. >
As much as I feel Aunt Tillie's pain at having all her personal stuff, pr0n and what have you compromised, this thread was started in response to a web site that claims that *nix OSs are by far the most insecure on the basis of reported attacks (I might respond that most windoze users don't have the vigilance to know when their doorknob is being rattled), and _I_ said that they weren't taking into account the relative seriousness of the possible exploits. I stand by that statement. Say I offer you two cars. One has frequent problems with the windshield washer, and the other suffers occasional brake failure w/o warning. Which are you gonna take? Windshield washer? ... brakes? -- it's a toughie. Which would you pick for Aunt Tillie? > It has access to her startup-scripts, which means it can install its > own shell that looks exactly like her current shell, except that > certain events can be intercepted, such as calls to su or sudo. > > Should Aunt Tillie try to install some software, the system will > ask her for the root password, or she'll invoke sudo or su to > become root. > She won't, and you shouldn't let her. > And our little virus then gains root access, and is in. > > It really comes down to this: if I sent you a binary file and told > you to run it, would you? Now, consider some of your MSWindows-using > friends or relatives... if you sent them a binary file to them and > told them to run it, how many of them would run it? > > And that's the crux of the users-are-the-problem argument. > No argument. I completely agree. I'm baffled by people who click on "Hey, lookit the neked pitures my asian girrrlfrnd" links. Don't they know why god invented credit cards? -- Lan Barnes [EMAIL PROTECTED] Linux Guy, SCM Specialist 858-354-0616 -- KPLUG-List mailing list [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
