[Iftop-users] Security Issue With iftop

Michael Shigorin shigorin at gmail.com
Wed, 20 Jan 2010 16:07:23 +0200

On Mon, Jan 18, 2010 at 07:35:52PM +0300, Ali Jawad wrote:
> As you all know a non root user can not run iftop. So the most
> obvious workaround is to use sudo. Now if you give a regular
> user sudo access he will execute.
> sudo iftop
> Once he is inside iftop. He can execute ! he will get the
> following promtp
> command >
> At this point a user can execute su, and he will get a root
> shell. He can also execute any command in privileged mode. The
> idea of using sudo initially was giving the user iftop access.
> However the user ends up with total root access.
> Please comment.

I'd make availability of "!" depend on explicit commandline
switch -- IIRC comparing getuid()/geteuid() won't help much,
and for a program intended to run with elevated privileges
having means to start another program is something worth

2 ldv: what would you say?

 ---- WBR, Michael Shigorin <mike@altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/