Randicus wrote:curtaintwitcher wrote:on the OP's system it can silently compromise security.I highlighted the word you missed.ziggybopbopdoo wrote:but I am smart enough not to enter my password when malicious code asks for it?
Oh yea I missed it. So the MAJOR security issue is that in one case the code ran silently. In both cases the code was run but one of them was silent and the other wasn't. That is the big security issue? Not the compromise itself, not the idiocy of running untrusted code but only that one ran silently. Once again my respone is....REALLY?
If I am dumb enough to run malicious code then there is no reason to think I would not enter my password anyway. True it would not run silently but the end result would be the exact same.
Oh no, the code ran silently after I downloaded it, chown'd/chmod'd it, and executed it. Oh no I would definately be smart enough after that to not enter my password when asked. No silent code for me.
So either I am dumb enough to run malicious code and dumb enough to enter a password or I am not dumb enough to do either. You cant make a hypothetical user dumb as a box of rocks one minute yet sharp as a tack the next.
Not to mention, if you are going to run malicious code then I dont care about sudo access all I need is a keystroke logger!