On Monday 26 December 2005 22:12, J.C. Roberts wrote: > On Mon, 26 Dec 2005 11:39:22 -0500, Dave Feustel > <[EMAIL PROTECTED]> wrote: > > >Don't use sudo in any konsole session. > > Dave, > > I don't think you're nuts but the fear mongering without providing any > proof or details of a compromise is questionable at best.
> If you really were compromised while running OpenBSD, you aren't the > first and probably won't be the last. As for leaving a terminal window > open with root privs, sudo or su, it has *always* been a bad idea: I never run root any more. Just long enough to install, add a user or two, and set up sudo. I have added a large number of packages and also compiled and installed other software not in the OpenBSD package collection. So I may have introduced a few holes at the user level myself. I have constantly been looking for signs of changes only possible via root. So far I have almost been able to convince myself that the intruder is doing whatever with my user privileges only. I am prepared to reinstall OpenBSD from scratch without Xorg and KDE if I become convinced that root access has been compromised. My respect for OpenBSD's security has increased substantially during the past few days. I think the security problems I am experiencing are in Xorg and KDE sockets. Rm'ing all the files in /tmp and Tmp (I have TMPDIR=/home/daf/Tmp) and then exiting and restarting KDE seems to disable the intruder temporarily. There also is some problem with DCOPserver, but again, restarting KDE seems to fix that. > http://seclists.org/lists/bugtraq/2002/May/0294.html > > As you can see from what happened to Dug Song and monkey.org, the > problem may not be konsole itself, instead, your sudo-enabled konsole > session could have been taken over via an exploit in some other > application you are running. I'm not familiar with what happened to Dug Song, The problem with using Sudo in a Konsole session is that either the sudo password may be captured for use in subsequent login, or (and I don't know whether this is possible) an eavesdropper might inject sudo commands during the 5-minute window that sudo remains enabled. The remedy for this is to always switch back to your login console when typing in passwords and using sudo since the login console is secure. This is possible by executing startkde &. This problem exists because the kde pty allocation program shipped with KDE was not ported to OpenBSD, the result being that all the OpenBSD [pt]typ's allocated to konsole sessions by KDE are root-owned and world rw. There is also a problem with the socket /tmp/.X11-unix/X0. This is documented on the web and even in an OpenBSD presentation on XFree86 from about 2002. > > jcr > I have learned a lot about OpenBSD, Xorg and KDE in the last week dealing with this problem. If I weren't an OpenBSD diehard before, I certainly am now. Dave Feustel -- Lose, v., experience a loss, get rid of, "lose the weight" Loose, adj., not tight, let go, free, "loose clothing"
