Re: localeconf package
Package: gnome-sudo
Version: 0.3-1
Severity: grave
On Sun, 2002-02-17 at 20:25, Gustavo Noronha Silva wrote:
> On 17 Feb 2002 19:57:25 -0500
> Jeff Licquia <licquia@debian.org> wrote:
> > gnome-sudo-helper is a shell script that sets up X stuff before calling
> > any program you pass it, yes. OTOH, it's a simple shell script,
> > non-setuid (as if that would work anyway). You still need to gain root
> > via some other method; if you can do that, you don't need
> > gnome-sudo-helper (unless your l33t programz need an X display).
> yes, I know it... now let's see what we can do with it:
>
> [/usr/lib/gnome-sudo]
> [kov]@[couve] $ mkdir /tmp/a
> [/usr/lib/gnome-sudo]
> [kov]@[couve] $ sudo `pwd`/gnome-sudo-helper /tmp/a /bin/sh
> GNOME_SUDO_DONE sh-2.05a#
>
> tchan! I'm now root, with no effort... this is a root hole, I may be wrong,
> anyway, and you don't need to be able to exec gnome-sudo-helper as
> root with sudo, but how do you get gnome-sudo to work then?
So, the problem here is that gnome-sudo-helper doesn't respect
/etc/sudoers with respect to what commands are allowed or not, right?
I'll file a bug, then. We'll see what happens.
Reply to: