Re: sudo security Was: Reporting missing package during install

[Tom H <tomh0665@gmail.com>]

On Wed, Dec 11, 2013 at 10:56 PM, Ralf Mardorf
<ralf.mardorf@alice-dsl.net> wrote:
>
> http://www.paritynews.com/2013/03/05/762/sudo-authentication-bypass-vulnerability-emerges/
>
> But note! The Chaos Computer Club does publish howtos using sudo on
> Linux: http://muc.ccc.de/uberbus:ubd
>
> I don't think the Chaos Computer Club folks would write a howto using
> sudo, if sudo would be a security risk.

"There are few prerequisites for the attack to work: the user much be
listed in the /etc/sudoers file; must have successfully authenticated
to execute a sudo command once; and it must be possible for users to
modify the system time without entering a password."

Having someone upgrade his/her sudo privileges to "NOPASSWD:" isn't
good but it isn't the end of the world when compared to an external
attacker getting access to a system.