On 06/13/2013 05:46 PM, Chris Angelico wrote:
On Fri, Jun 14, 2013 at 3:48 AM, Νικόλαος Κούρας <[email protected]> wrote:<SNIP> You are right, but i still believe Stevn would not act maliciously in the server. He proved himself very helpfull already.You thought that about me, too. (And you were still correct. I did not act maliciously, I just didn't do what you thought I'd do.) By the time you know what someone will do with your server, it is too late. And remember, I made it really obvious what I'd done; someone else may well not. Oh, and as to privilege escalation... there have been exploits found in various applications, but the biggest one *ever* is the social attack. It'd be VERY easy for Steven to get access, put a file in his home directory, ask you to run it as root, and give himself full access. And how would you know what that script does? You are incompetent at managing a Linux system. You would be compromised faster than an unpatched XP. ChrisA
Perhaps more relevant is changes that are made by mistake, or by side effect of software tools, or by virus or by adware. When you unlock a door, you're never sure just what will happen. This is why even with my own system, I use the least-privileged logon that lets me do what I need to do.
I was involved in cleaning up the mess left behind by some guys who installed an April-fools joke on their boss' machine. They didn't mean any harm, but there code had bugs.
And when new to Unix, I once typed a very complicated command (involving the find program, but also invoking other code) which would have had the final effect of deleting our entire source tree, including the (RCS) source control. I would have tested the operation first, except that some fool disabled the editor for csh when running as root. Anyway, the only thing that saved me was that Unix (in that era) had such a slow file system that I was able to kill it before it deleted a half-dozen file. Nothing volatile was lost, and the missing files were trivial to restore from the daily backup tapes.
-- DaveA -- http://mail.python.org/mailman/listinfo/python-list
