© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
f33e652
(Get the code!)
I am not sure I follow the reasoning (and yes, I read the forum thread). I do not see this as a critical issue.
1. this is not limited to changing ~/.bashrc. There are many other avenues for infiltration via a trojan if the user installs untrusted applications.
2. why would making .bashrc read-only solve the issue? If I am running my trojan under the user's id, I can simply make it writable again & then write what I want in there.
3. This depends on having either
(a) access to a logged-in account, or
(b) install/build of untrusted code/applications.
On (a), if an user left the system unlocked, then there is absolutely nothing Ubuntu -- or any other OS -- can do. There is a limit on how far we can protect against user laxness.
On (b), If you are installing/building untrusted applications (from a strict security point-of-view) you have already compromised your system.
I do not see this as either a Ubuntu security issue, or a problem with sudo, but I am leaving the final decision to the security folks here.