On Aug 22, 2006, at 7:04 AM, Ansgar -59cobalt- Wiechers wrote:
On 2006-08-22 JC Derr wrote:
On Aug 22, 2006, at 12:21 AM, Ansgar -59cobalt- Wiechers wrote:
I like sudo since it logs the commands. True that it if you switch
the shell with -s you don't get further logging, but at least you
can see who changed to a root shell.
True, but the same goes for "sudo su", only that the logged command
is "/usr/bin/su" instead of "/bin/bash".
logging aside, it's an escalation of privileges defeats the entire
purpose of 'sudo'.
su asks for the root password and executes any command as root.
*sigh*
Not when executed via sudo.
sudo asks for your password, does some common sense checking on the
tool you're invoking, on any dynamically linked libraries it uses,
and then invokes it with a stripped down environment to further lower
the risk that any surviving malicious code might present.
A "stripped down environment to lower the risk ..." when talking about
running a root shell? You're kidding me, right?
Hello,
My $0.25: Apple should be more strict with the default sudo
configuration...Noting that this is an exploit I have reported to
numerous people but no one seems to be interested.
Here we have a kind of "virus for macos": Remember the old
afp:// vulnerability in safari mounting disk? Now imagine it
running this...
I am sure 99.8% of mac users wouldn't know if this had already
happened... provided that "do_bad_things" didn't do something
obvious to the local system
I suggest a 'deny all before allow' mentality with this.
Evaluating the binaries that are allowed to be used and allowing
them, rather then specify the lot you dont want... Note these are
just as bad as su
sudo bash
sudo tcsh
sudo zsh
Cheers!
This message has been checked for viruses but the contents of an attachment
may still contain software viruses, which could damage your computer system:
you are advised to perform your own checks. Email communications with the
University of Nottingham may be monitored as permitted by UK legislation.
