Re: Bug is sudo?

From: Todd C. Miller (Todd.Millerat_private)
Date: Sat Jun 27 1998 - 13:27:56 PDT

Next message: Aaron D. Gifford: "Re: And another qpopper overflow (does this make 3?)"

Previous message: Klaus: "Re: More problems with QPOPPER - <sigh>"
Maybe in reply to: Rhodie: "Bug is sudo?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Of course, this only works if you exist in the sudoers file, which
makes it pretty benign.  I agree that sudo should ask for a password
and this is fixed in sudo 1.5.4p1, available now from:
    ftp://ftp.cs.colorado.edu/pub/sudo/cu-sudo.v1.5.4p1.tar.Z

It is still possible for a user in sudoers to probe for binaries
but it's not really possible to disable that without making it
impossible for a sudo user to know *which* version of a command
was disallowed (for instance, sudoers may specify the system "ls"
and the user may have the GNU version first in their path).

 - todd

Next message: Aaron D. Gifford: "Re: And another qpopper overflow (does this make 3?)"
Previous message: Klaus: "Re: More problems with QPOPPER - <sigh>"
Maybe in reply to: Rhodie: "Bug is sudo?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:45 PDT