Prev: NYC LOCAL: Tuesday 16 February 2010 Hack Fests: Perl Seminar and NYLUG Squeak
Next: Basic Ubuntu Curiosity Questons
From: J G Miller on 18 Feb 2010 16:39
On Thu, 18 Feb 2010 08:29:55 +0100, Aragorn wrote:

> Anyone with the authority to install software on the system which
> can sniff the keyboard input from an unprivileged user would already
> have to have root privileges in the first place to get this malicious
> software to install

Not necessarily. If for some reason the luser had been encourage to
type

xhost + <somehost>

and the cracker was present on <somehost> was either local or
X was running with tcp connections allowed, and with his own copy of
that X program which shows everything on a users display and can
log keypresses (cannot recall the name at the moment) then the
cracker would be able to get the passsword.

> But we all know that lots of things are not being used for what they
> were actually designed... ;-)

Understatement of the millenia ;)

From: Robert Riches on 19 Feb 2010 00:35
On 2010-02-18, Aragorn <aragorn(a)chatfactory.invalid> wrote:
> On Wednesday 17 February 2010 22:46 in comp.os.linux.misc, somebody
> identifying as Robert Heller wrote...
>
>> The real question is not 'WHat's the reason not to set a root
>> password?', but 'WHat's the reason TO to set a root password?'.
>
> The use of /sudo/ with the user's own password or eventually without a
> password is actually a security risk. If your user account is
> compromised, this will allow the attacker to obtain root privileges
> instantly by invoking...
>
> sudo su -

It depends on the commands allowed by the entries in sudoers. On
the systems I adminster, ordinary users are allowed to reboot and
shut down without entering a password. They can't get to a
general root shell.

--
Robert Riches
spamtrap42(a)verizon.net
(Yes, that is one of my email addresses.)
First  |  Prev  | 
Pages: 1 2 3 4 5 6 7
Prev: NYC LOCAL: Tuesday 16 February 2010 Hack Fests: Perl Seminar and NYLUG Squeak
Next: Basic Ubuntu Curiosity Questons