-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ok.lets compromise YOUR linux box and we'll see if that same statement RINGS true.how about the CORPORATE unix box,eh?
'sudo' does NOT ELIMINATE the ISSUE at hand.And yes, it is an attack vector or I wouldn't have been able to do it so easily.all you need is access to /lib or /etc and a person like me [average user] can take down a whole system in SECONDS.No, not with rm -f, either.The /lib issue,even after TWO solid days of hacking back in, cannot be fixed. believe me, you WILL need console access to get back in. root has whole system access, GIVEN. HOWEVER, there is TOO LOOSE a system if you allow root to corrupt it.I am asking to lockdown only those parts of the OS considered VITAL to running it. IE: base filesytem [as installed],drivers.... /etc would have to be in there as well, as without that, there goes your firewall. ever taken down a copy of win98 or 3.1 [by accident] and notice how easy it is to do?linux isn't that much more difficult.believe me, I use SAFE linux practices.SHIT HAPPENS. the more you can prevent [SHIT] from happening the happier we ALL are.If you have EVER installed debain, as stable as it is, you will notice from time to time when your system DOES go down, it takes quite a while to get it back, even after a reinstall. Time is MONEY. but, you know, do what you want, what do I know??? Marc Deslauriers wrote: > Thanks for reporting this issue, but the fact that the root user has > full control over the system is not a bug, or a security issue. I would > suggest not running as root and to use the "sudo" command when specific > actions are needed to be taken as the root user. > > In order to compromise the init scripts, you need to have root > privileges, so that is not an attack vector. > > Marking this bug as "invalid". > > ** Changed in: ubuntu > Status: New => Invalid > > ** This bug is no longer flagged as a security issue > > ** Visibility changed to: Public > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJJiCQ2AAoJEN7An3XqqpwMwl0H/RGyTTxYrV+cZB6UGe/5zssy Yz4WgvdLdcg34+CxxP971HtgFCsTC+xWoBTJf0DOFP1VUj1l5uMI70Vt+WDcXwWL 88NQE1IckTvt6AqIgm21KNCGrvlUSVoHyPb48v/tT4Gc+0sAbjwf0qMXYuEwqei5 fEU7N6mTSqbhbURR3o+YJsS0tkHLFduO17omrZPvExPvhwkCeJyMwk39pLrJoK6M XHzMpXv9dlYlF8tZ3jKUg6JZ16nZhSJz1RPJBYEhc7s0D7Kk3P/J0mx6+WxURxbU MGtLRwjeDB94SRh1dbPQWrxkJtJnuGSE62GNOmSIS1Es378UQjfX9DT1+5YD7ko= =StTf -----END PGP SIGNATURE----- -- ***core system*** UNIX level bug https://bugs.launchpad.net/bugs/324674 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
