Re: sudo and UNIXes
- To: debian-user@lists.debian.org
- Subject: Re: sudo and UNIXes
- From: Joe Pfeiffer <pfeiffer@cs.nmsu.edu>
- Date: Fri, 01 Nov 2013 21:01:57 -0600
- Message-id: <[🔎] 1b4n7vik0q.fsf@snowball.wb.pfeifferfamily.net>
- References: <5269D17C.6090504@optonline.net> <20131025183155.GB9627@hysteria.proulx.com> <20131025234110.478c8065ddd992139a38bc3e@gmail.com> <CAOdo=SyHvrF=gPje83ryhjf+iyrLc6AqMTdHbJbJtfDFoWttBg@mail.gmail.com> <20131026011611.f2a1e103756681a7d0e858e0@gmail.com> <CAOdo=SyowAJfhFf+4y-m52cew4OdCYHOG894yufXtGBnYXK3LA@mail.gmail.com> <20131027113150.5d165f99e540507a9892132f@gmail.com> <1b38nmdqfg.fsf@snowball.wb.pfeifferfamily.net> <20131028134702.GA23316@x101h> <1bvc0hcqqo.fsf@snowball.wb.pfeifferfamily.net> <20131028181130.GB29376@x101h>
Reco <recoverym4n@gmail.com> writes:
> On Mon, Oct 28, 2013 at 10:19:43AM -0600, Joe Pfeiffer wrote:
>> Reco <recoverym4n@gmail.com> writes:
>> >> You also have to add to the picture such a vulnerability, and I haven't
>> >> noticed any.
>> >
>> > If we're speaking of public vulnerabilities:
>> >
>> > CVE-2010-0427.
>>
>> Does not permit users outside of those in the sudoers file (or with the
>> root password) to escalate privileges.
>
> Lessens attack surface, but doesn't void the existence of vulnerability.
>
>>
>> > CVE-2013-1775 (allows bypass sudoders modification to retain root
>> > privileges).
>>
>> Again -- isn't "basically equivalent to giving everyone uid=0." Permits
>> someone who *has* sudo access to avoid retyping a password.
>
> Not only that. Permits someone who already has sudo access to continue
> having such access indefinitely, ignoring being excluded from sudoers
> altogether.
You made a specific claim, that sudo without patches is "basically
equivalent to giving everyone uid=0". You have yet to say anything that
even begins to substantiate that claim.
Reply to: