Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Isn't this a security breach?

  1. #1
    Join Date
    Aug 2010
    Beans
    1

    Isn't this a security breach?

    When you run something with root permissions, it does not require your password to run another sudo-command for 5 minutes. Now what is to stop a tutorial page to make a javascript to run a malicious command after a certain amount of time, say four minutes?

  2. #2
    Join Date
    Feb 2010
    Location
    In My Food Forest
    Beans
    9,318

    Re: Isn't this a security breach?

    NoScript and AppArmor are your friends. The only way java can run as root is if you open the browser as root, afaik.
    Cheers & Beers, uRock
    [SIGPIC][/SIGPIC]

  3. #3
    Join Date
    May 2008
    Beans
    Hidden!

    Re: Isn't this a security breach?

    Quote Originally Posted by asdfjkl semi View Post
    When you run something with root permissions, it does not require your password to run another sudo-command for 5 minutes. Now what is to stop a tutorial page to make a javascript to run a malicious command after a certain amount of time, say four minutes?
    As uRock said, you would have to run the browser as root in order for a tutorial page to gain root access.

  4. #4
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Isn't this a security breach?

    Running a sudo command only allows the sudo timeout on that one terminal session. It does not apply to anything else on the machine. As the others said, you would have to run the browser as root to fall victim to such an attack.
    Occam's Razor for computers: Viruses must never be postulated without necessity -- nevius

    My Blog

  5. #5
    Join Date
    Dec 2006
    Location
    Chicago
    Beans
    3,839

    Re: Isn't this a security breach?

    Quote Originally Posted by rookcifer View Post
    As the others said, you would have to run the browser as root to fall victim to such an attack.
    Technically, if your browser is compromised in a way that allows the attacker to execute arbitrary code, they could wait for you to use sudo, kill your terminal session, re-use your tty, then use sudo before your timestamp times out without needing a password. I wrote a proof-of-concept script for such an attack a while ago. If you're worried about such an attack, set timestamp_timeout to 0 in your sudoers file.

    This has been discussed before. Search the forum before creating a new thread.

  6. #6
    Join Date
    Feb 2010
    Location
    In My Food Forest
    Beans
    9,318

    Re: Isn't this a security breach?

    Quote Originally Posted by cdenley View Post
    Technically, if your browser is compromised in a way that allows the attacker to execute arbitrary code, they could wait for you to use sudo, kill your terminal session, re-use your tty, then use sudo before your timestamp times out without needing a password. I wrote a proof-of-concept script for such an attack a while ago. If you're worried about such an attack, set timestamp_timeout to 0 in your sudoers file.

    This has been discussed before. Search the forum before creating a new thread.
    This is why NoScript and AppArmor are good tools to have configured.
    Cheers & Beers, uRock
    [SIGPIC][/SIGPIC]

  7. #7
    Join Date
    Dec 2006
    Location
    Chicago
    Beans
    3,839

    Re: Isn't this a security breach?

    Quote Originally Posted by uRock View Post
    This is why NoScript and AppArmor are good tools to have configured.
    Yes, but I think the concern was for privilege escalation in general, not specifically for browser exploits. I'm guessing a javascript browser exploit was only an example.

  8. #8
    Join Date
    Jun 2009
    Location
    Tucson, AZ
    Beans
    11
    Distro
    Xubuntu

    Re: Isn't this a security breach?

    The Firefox Apparmor profile is inorged by default though so, if someone who doesn't wtf aa is, they're not going to know how set the profile nor are they going to know what's going on when the script causes funkiness with Firefox, which will invariably do. Which is why the script is ignored in the first place.

  9. #9
    Join Date
    Feb 2010
    Location
    In My Food Forest
    Beans
    9,318

    Re: Isn't this a security breach?

    Quote Originally Posted by meskes View Post
    The Firefox Apparmor profile is inorged by default though so, if someone who doesn't wtf aa is, they're not going to know how set the profile nor are they going to know what's going on when the script causes funkiness with Firefox, which will invariably do. Which is why the script is ignored in the first place.
    This is why a new user should be searching the net and learning the security tools used by their OS, such as AppArmor. The typical use of AA is explained in the Ubuntu Security thread that hopefully newcomers get to read. I think I seen it mentioned in the Ubuntu manual, but I don't think the manual went into detail.
    Cheers & Beers, uRock
    [SIGPIC][/SIGPIC]

  10. #10
    Join Date
    May 2010
    Beans
    166

    Re: Isn't this a security breach?

    Quote Originally Posted by asdfjkl semi View Post
    When you run something with root permissions, it does not require your password to run another sudo-command for 5 minutes. Now what is to stop a tutorial page to make a javascript to run a malicious command after a certain amount of time, say four minutes?
    Quote Originally Posted by uRock View Post
    NoScript and AppArmor are your friends. The only way java can run as root is if you open the browser as root, afaik.
    As a side note, Javascript is not Java.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •