> > I've been able to reproduce the exploit using cu-sudo 1.5.3 under DEC UNIX > 4.0B and FreeBSD 2.2.5. After looking at the code the bug can be exploited on > any platform. > > Here is a patch to fix the problem, assuming your operating system of choice > supports realpath(3). *BSD, Linux, Solaris, SunOS, DEC UNIX, AIX, and DG/UX > should have no problem with this patch. > Seems to me that fixing the "exclude" stuff in sudo is a bit harder than just verifying the path is on the exclude list. Any exclude list should default automaticaly to only letting you run stuff owned by root (or bin, or whatever owns your system binaries) Otherwise a user can just make a copy of (or compile) something banned. Though realistically, I don't see how you could make an exclude list complete enough to avoid letting a user run a shell, at which point the user can do anything anyway. -- Douglas Siebert Director of Computing Facilities douglas-siebertat_private Division of Mathematical Sciences, U of Iowa If you let the system beat you long enough, eventually it'll get tired.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:38:46 PDT