Security problems with sudo
John Tapsell
johnflux at gmail.com
Sun May 17 14:54:04 BST 2009
2009/5/17 Thiago Macieira <thiago at kde.org>:
> John Tapsell wrote:
>>2009/5/17 Thiago Macieira <thiago at kde.org>:
>>> John Tapsell wrote:
>>>>2009/5/17 Thiago Macieira <thiago at kde.org>:
>>>>> John Tapsell wrote:
>>>>>> Now the question is.. is there any way to protected against this?
>>>>>
>>>>> No. If your environment is already infected, your using of sudo
>>>>> gives the privilege elevation.
>>>>>
>>>>> If you want to protect against that, don't elevate privileges using
>>>>> sudo. Use ssh -Y.
>>>>
>>>>How would that work? If you run ssh locally, you have the same
>>>>problems. A program could simply run a key logger. If you run
>>>>remotely but ssh in as the user first, then you have the same problem.
>>>> If you run remotely and ssh in directly as root, then that goes
>>>>against the usual restriction to prevent remote root login.
>>>
>>> I think ssh-askpass grabs the keyboard, which means it won't work if
>>> something else grabbed the keyboard.
>>
>>Okay so the evil problem simply supplies their own ssh-askpass
>>program, installed to the users home directory, and modifies .bashrc
>>to add that directory to the front of the path.
>
> I think ssh is a bit more intelligent than that.
So create an ssh binary as well in the home directory :-D
More information about the kde-core-devel
mailing list