[Expired for sudo (Ubuntu) because there has been no activity for 60
days.]
** Changed in: sudo (Ubuntu)
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
If an attacker can edit ~/.bashrc they can simply modify the path and
point to a malicious sudo binary that does whatever it wants with the
password. I don't think this is a SUDO_ASKPASS issue.
If you disagree with our reasoning, it would be best to file this bug
with the upstream sudo project
Anything running in the user context can edit ~/.bashrc and set aliases.
But with aliases you don't get root access.
sudo goes to great lengths to ensure that the password is directly
passed from the console and not passed through a pipe. SUDO_ASKPASS can
circumvent this security.
So this badly
Hello Heinrich, I suspect once you can set aliases in shells used by
people with sudo privileges, the game is already over regardless of
environment variables used.
Is there something I'm missing where setting aliases in someone else's
shell is fine except for this variable?
Thanks
--
You
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/2019496
Title:
Security implications of SUDO_ASKPASS
5 matches
Mail list logo
