Re: hole in sudo for MP-RAS.

From: Todd C. Miller (Todd.Millerat_private)
Date: Mon Jan 12 1998 - 20:53:37 PST

Next message: Todd C. Miller: "Re: hole in sudo for MP-RAS."

Previous message: Pavel Kankovsky: "Xserver stack smashed"
Maybe in reply to: osirisat_private: "hole in sudo for MP-RAS."
Next in thread: Todd C. Miller: "Re: hole in sudo for MP-RAS."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <199801130402.WAA09191@l-ecn004.icaen.uiowa.edu>
        so spake  (dsiebert):

> Seems to me that fixing the "exclude" stuff in sudo is a bit harder than just
> verifying the path is on the exclude list.  Any exclude list should default
> automaticaly to only letting you run stuff owned by root (or bin, or whatever
> owns your system binaries)  Otherwise a user can just make a copy of (or
> compile) something banned.  Though realistically, I don't see how you could
> make an exclude list complete enough to avoid letting a user run a shell, at
> which point the user can do anything anyway.

excluding things from 'ALL' is pretty much meaningless for the
reasons you've noted above.  The exclusion facility is really only
useful for subtractings things from a real list...

 - todd

Next message: Todd C. Miller: "Re: hole in sudo for MP-RAS."
Previous message: Pavel Kankovsky: "Xserver stack smashed"
Maybe in reply to: osirisat_private: "hole in sudo for MP-RAS."
Next in thread: Todd C. Miller: "Re: hole in sudo for MP-RAS."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:38:50 PDT