privilege escalation by su/sudo/gksu/kdesu alias
Bug #368054 reported by
Sebastian "Nait" Kacprzak
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| bash (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
Bug Description
malware software running with user privileges can easily gain root access by adding for example
alias 'sudo=myScriptT
to user .bashrc
I think that user should not be able to hide/override su/sudo/gksu/kdesu etc commands(opposite should be still allowed because alias changeUser='sudo -u user' is not a security threat).
Because its very old vulnerability it was probably already decided not to change current behavior, but I'm reporting just in case.
| visibility: | private → public |
| Changed in ubuntu: | |
| importance: | Undecided → Wishlist |
| status: | New → Confirmed |
Revision history for this message
| Sense Egbert Hofstede (sense) wrote | #1 |
| affects: | ubuntu → bash (Ubuntu) |
| Changed in bash (Ubuntu): | |
| importance: | Wishlist → Undecided |
| status: | Confirmed → Won't Fix |
To post a comment you must log in.
Thank you for helping Ubuntu by reporting this bug. We've had a small discussion about this at IRC and decided that prohibiting certain aliases is not desirable, you simply shift the problem somewhere else. Therefore I'm marking this bug as Won't Fix.
More information about and previous discussions on this issue can be found in the conversation of bug #127116 and the following thread at Ubuntuforums.org: <http://