[X-Unix] Re: Root Exploit via sudo

[Stroller]

On Apr 13, 2005, at 5:24 am, Tom Shaw wrote:
>
> I am still at a loss with this thread. What is the key real issue?

Because of the default timeout, an application can leverage `sudo` 
privileges even though the user has not specifically authorised it, and 
even when the granting of `sudo` privileges might be undesirable.

> If you can sudo then you have an admin PW and you can muck about 
> without issue so what's this thread really about?

Something other than you mucking about with your system using `sudo` 
privileges.

> Maybe its about being a little sloppy and an academic usage of trojans.

It's not really that academic - it is clearly & well-documented that 
users will click on things & run them. If you've never used PCs, then 
you won't realise how easy it is to get a virus from an infected 
attachment or other .exe - the second time I did it I was REALLY 
cursing myself for my stupidity, but however educated one is, getting a 
virus is the _last_ thing one expects from what mostly seems like 
normal computer usage (clicking on an attachment in order to open it).

Considering that I've had 14 - 28 day uptimes since I got my G5 and 
that I probably run `sudo` in the terminal once a week, if I were dumb 
enough to run girls_in_bikinis.app that I received by email, then it 
could almost certainly get sudo rights on my system. Bear in mind that 
girls_in_bikinis.app does not require use of a password, it just runs, 
appears to finish & then does its nasties next time I run `sudo` in a 
terminal.

Stroller.