> There is a bug in sudo versions (at least) 1.5.2 and 1.5.3 on NCR's MP-RAS > that makes it trivial to bypass sudo's restrictions. I reported this to > the sudo-bugs address given in the source on 12/23/97, but never heard back, > so screw 'em. It is important to note that MP-RAS is one of the platforms > listed in the RUNSON file included with the distribution, so there are > probably many people running this; I imagine you will want to reconsider it > if you are one of them. This bug exists on all platforms. Sudo does not handle relative directories properly . ../../../usr/bin/date would also bypasses the access list. In short inclusion lists are are safe. Exclusion lists are not safe. > --jml Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBERat_private Government of BC Internet: cschuberat_private Cy.Schubertat_private "Quit spooling around, JES do it."
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:38:43 PDT