Subject: Re: [lists@globalintersec.com: [Global InterSec 2002041701] Sudo Password Prompt Vulnerability.]
To: Jan Schaumann <jschauma@netbsd.org>
From: Johan A. van Zanten <johan@ewranglers.com>
List: tech-security
Date: 04/25/2002 23:20:13
---In message <20020425212156.A19882@netmeister.org>
>$ pwd
>/etc
>$ su
># vi printcap
># lpr /tmp/foo.ps
># vi /usr/pkg/libexec/magicfilter/some-printer
># lpr /tmp/foo.ps
># lpr /tmp/foo.pdf
># lpr /tmp/foo.txt
>[I want "rm /tmp/foo*" but accidently mistype:]
># rm /tmp/foo *
>[ /tmp/foo* is gone, but so is /etc/* ]

 If you type, "rm /tmp/foo *" while your cwd is /etc, then i think
 "/tmp/foo" would be gone, but not "/tmp/foo*".

>
>Now I'm fully aware that if I'm allowed to execute vi via sudo, I
>essentially have full root-access, as I can call a shell from within the
>editor -- the point in this example is not to increase security by not
>giving our root, but by reducing the likelihood of errors caused by
>typos.

 I learned to use "su" and suspend, made easy like so:

alias z='suspend'

 (In the good old days, even just plain "su" read .cshrc so one could
 locate this alias there.  Now one can put it in ~root/.profile, but it
 will need to be "su -", or something more clever with ksu...)

  So in your example, if i already had a root shell, i'd type "fg", if
not, i'd su.  Once i had edited printcap, i would type "z" and i'm less
dangerous again.


 Now, what i mostly do is use color-coded fg for my terms. The background
is always black. If it's white text, it's me.  If a colored fg, it's
root. (This doesn't require anything fancier than a color frame buffer and
the standard xterm.)

 Obviously, there's no way to delegate authority in this way. But this
does solve the problem of protecting against typos (or brainos), without
installing a setuid-root binary into the load.

 --johan