Re: If you care about debian's security read this
I see, Gustavo, that you're hell-bent on embarassing yourself in front
of the whole project. Allow me to assist you.
On Sun, 2002-03-03 at 06:13, Gustavo Noronha Silva wrote:
> gnome-sudo and configlet's maintainers are trying to let a root hole
> go in woody
Translation: "Jeff and I have a difference of opinion, but instead of
debating it nicely, I'm going to slander his reputation in public.
That'll teach him to cross me!"
> I've reported a grave bug on gnome-sudo because it will let you run
> anything as root when you configure it to be useful, even if you don't
> have ways of doing that with normal sudo... see this:
The bug report has a similar session transcript in which I attempt to
show that the admin has to explicitly grant permission for this to
work. Here, however, you do it for me:
> now I remove gnome-sudo-helper from my /etc/sudoers:
Bingo! Everyone note (in case it wasn't clear) that Gustavo wrote the
above, not me.
> no more root hole, but gnome-sudo doesn't work anymore...
> (and not even gives an error message... that's why bug
> #133402 is related to this problem)
Right. There's a bug there, and even Eric has ACKed this.
However, you merged the two bug reports WITHOUT Eric's permission and
(as we can see) WITHOUT any understanding of the two bugs. They may or
may not be related, but they are not the same bug.
Furthermore, you show a complete lack of respect for Eric by mucking
with his bugs in this manner. Not only that, but you completely ignore
the original bug submitter, who says things like:
# The problem is *not* a problem with /etc/sudoers
He also does a lot of other things to isolate the problem, and brings up
some interesting behavior of gnome-sudo that, again, should be fixed.
But it's not the same problem!
> the only way to use gnome-sudo is adding /usr/lib/gnome-sudo/gnome-sudo-helper to /etc/sudoers... and the
> problem here is bigger, because the program/instalation does not
> warn the user that he has a root hole after being able to use gnome-sudo
Sudo has several features:
- allow the user to gain root access w/o the root password
- limits root access to particular users
- "caches" root access so that the user doesn't have to type passwords
over and over
- restrict what commands the user can execute as root
Gnome-sudo provides a GUI to all but the last feature. If you care
about the last feature, don't grant your users access to gnome-sudo.
(Or, perhaps, grant some users you trust access to gnome-sudo and other
users not. That works too.)
It's called a "security model". Go off to a security search engine and
do some reading. Here's another hint, in case that little discussion
doesn't clue you in: Everyone's security needs are different.
> details in bug #134521, which was grave but has just being reseverited
> 'wishlist' by configlets' maintainer.. sorry for bringing this to -devel
> but the package's maintainer just doesn't care about this...
In this case, I think we've tried, nicely and not-so-nicely to explain
it to you. Now, you get the whole Project involved in your little
vendetta. You refuse to answer our arguments with logic; your whole
method of rebuttal amounts to yelling the same thing, over and over, as
if "proof by repetition" worked.
So, I'll put to you a little challenge. Do the following:
dpkg --purge gnome-sudo sudo
rm /etc/sudoers
apt-get install gnome-sudo
Then, get to a root shell without typing the root password and without
editing /etc/sudoers. Use gnome-sudo to do it.
If you can't answer this challenge, then shut your mouth, and let your
betters handle complex things like security.
Reply to: