|
|
|
|
|
|
by charcircuit
414 days ago
|
|
|
I'm not shouting. >sudo more resilient prevents a whole class of possible bugs Good, but this doesn't fix the easiest way to escalate privileges as an attacker through sudo. Memory safety doesn't help people who run "curl | sudo bash" to install a random program from the internet. >It is not going away. But if work is done it could become very niche and eventually stop getting new usage over time. |
|
|
I don't think you can help those people, unless you seriously lock down the machine to the level of iPhone. Neither Android nor Windows have "sudo" for example, and yet they can get malware just fine... all the difference is instead of the password, user clicks on confirm button a few times.
I advice to (1) think about how you use sudo (2) think what would you replace it with and (3) think how the replacement can be abused by malware.
Here is one example:
(1) Today I used "sudo" to run docker: "sudo -Eg docker docker run..."
(2) the sudo-less replacement would be to add myself to docker group, or switch to rootless docker
(3) If I add myself to docker group, malware can trivially escalate by starting a privileged container. If I switch to the rootless docker, I am weakening security boundary between my primary user and the docker containers I run.