-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
ok.lets compromise YOUR linux box and we'll see if that same statement
RINGS true.how about the CORPORATE unix box,eh?
'sudo' does NOT ELIMINATE the ISSUE at hand.And yes, it is an attack
vector or I wouldn't have been able to do it so easily.all you need is
access to /lib or /etc and a person like me [average user] can take down
a whole system in SECONDS.No, not with rm -f, either.The /lib issue,even
after TWO solid days of hacking back in, cannot be fixed. believe me,
you WILL need console access to get back in.
root has whole system access, GIVEN. HOWEVER, there is TOO LOOSE a
system if you allow root to corrupt it.I am asking to lockdown only
those parts of the OS considered VITAL to running it.
IE: base filesytem [as installed],drivers
/etc would have to be in there as well, as without that, there goes your
firewall.
ever taken down a copy of win98 or 3.1 [by accident] and notice how easy
it is to do?linux isn't that much more difficult.believe me, I use SAFE
linux practices.SHIT HAPPENS.
the more you can prevent [SHIT] from happening the happier we ALL are.If
you have EVER installed debain, as stable as it is, you will notice from
time to time when your system DOES go down, it takes quite a while to
get it back, even after a reinstall.
Time is MONEY.
but, you know, do what you want, what do I know???
Marc Deslauriers wrote:
Thanks for reporting this issue, but the fact that the root user has
full control over the system is not a bug, or a security issue. I would
suggest not running as root and to use the sudo command when specific
actions are needed to be taken as the root user.
In order to compromise the init scripts, you need to have root
privileges, so that is not an attack vector.
Marking this bug as invalid.
** Changed in: ubuntu
Status: New = Invalid
** This bug is no longer flagged as a security issue
** Visibility changed to: Public
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBAgAGBQJJiCQ2AAoJEN7An3XqqpwMwl0H/RGyTTxYrV+cZB6UGe/5zssy
Yz4WgvdLdcg34+CxxP971HtgFCsTC+xWoBTJf0DOFP1VUj1l5uMI70Vt+WDcXwWL
88NQE1IckTvt6AqIgm21KNCGrvlUSVoHyPb48v/tT4Gc+0sAbjwf0qMXYuEwqei5
fEU7N6mTSqbhbURR3o+YJsS0tkHLFduO17omrZPvExPvhwkCeJyMwk39pLrJoK6M
XHzMpXv9dlYlF8tZ3jKUg6JZ16nZhSJz1RPJBYEhc7s0D7Kk3P/J0mx6+WxURxbU
MGtLRwjeDB94SRh1dbPQWrxkJtJnuGSE62GNOmSIS1Es378UQjfX9DT1+5YD7ko=
=StTf
-END PGP SIGNATURE-
--
***core system*** UNIX level bug
https://bugs.launchpad.net/bugs/324674
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
