On 2021-08-12 12:23, Polyna-Maude Racicot-Summerside wrote:
Now if people start doing stuff they don't master than it's not
privilege escalation but much more something like another manifestation
of human stupidity. And this, there won't be a number of article
sufficient to make people change.
[...]
This is only a article made to get people onto a website and see
publicity or whatever goal the author set. There's nothing genuine in
there.
I think it's less about human stupidity than about all the knowledge you
need to acquire (and retain) to securely administer a system. It is not
easy. The concern expressed here is pretty much common knowledge among
sysadmins of ye olde times. Of course you can abuse this, and yes it got
easier recently. The boundary that sudo provides is very blurry, hard to
understand and full of footguns. People need to come up with better
boundaries - or in this case they might already exist. Basically you
need to be able to validate the request and execute it in a secure
environment. At basically every shared environment people come up with
some way to allow package installation, but it's not easy to find the
right instructions on how to do this properly on Debian[1]. I'm not
aware of a well-trotten path for maintaining a system where users do not
need root. Throw in some reluctance to deal with "newfangled things" (to
establish new, maybe controversial boundaries) and you end up with every
one fighting for themselves.
Now of course there's value in people having this knowledge and
companies should recognize this value. But from communication and
awareness we learn, no?
Kind regards
Philipp Kern
[1] E.g. thinking of https://debian-handbook.info/browse/stable/