Bob Proulx writes: > Gian Uberto Lauri wrote: > > Bob Proulx writes: > > > How would this be accomplished? (Answer cannot contain a use of sudo! > > > No circular logic please.) > > > ... > > > Right. Because normal users can't change the system time. > > > > Sorry, wrong. With 'folk ALL=(ALL) ALL', user folk can run as root ANY > > That is a user that already has full root privileges! That is not a > normal user. That is a user that already has root. If they have root > then they are already an administrator on the system and don't need to > break into it.
Indeed the problem is that credentials cache joined with the 'username ALL=(ALL) ALL' may lead to some hijacking problems The time-stamp bug simply allowed someone who was "pick-pocketing" an account (in the unlikely scenario[*] of someone finding an unguarded shell open with credentials already cached) to extend the hijack of the credential cache as long as he needed. Another kind of attack relies on this poor/bad configuration of sudo. It is a sort of man-in-the-middle between the user and the shell. This attack would wait until credentials are cached and then issue hidden command to the shell. I think that creating such an attack in a stealthy way is not too hard to do and a large base of users with the default 'user ALL=(ALL) ALL' configuration and lack of knowledge would be a good target for this attack. [*] unlikely or not, everybody felt the urge to fix the problem. -- /\ ___ Ubuntu: ancient /___/\_|_|\_|__|___Gian Uberto Lauri_____ African word //--\| | \| | Integralista GNUslamico meaning "I can \/ coltivatore diretto di software not install giĆ sistemista a tempo (altrui) perso... Debian" Warning: gnome-config-daemon considered more dangerous than GOTO -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/21162.50505.142695.526...@mail.eng.it