Re: sudo and UNIXes
On Sat, 2 Nov 2013 15:34:13 +0000 (UTC)
Curt <curty@free.fr> wrote:
> On 2013-11-02, Joe Pfeiffer <pfeiffer@cs.nmsu.edu> wrote:
> >>>
> >>> Again -- isn't "basically equivalent to giving everyone uid=0."
> >>> Permits someone who *has* sudo access to avoid retyping a
> >>> password.
> >>
> >> Not only that. Permits someone who already has sudo access to
> >> continue having such access indefinitely, ignoring being excluded
> >> from sudoers altogether.
> >
> > You made a specific claim, that sudo without patches is "basically
> > equivalent to giving everyone uid=0". You have yet to say anything
> > that even begins to substantiate that claim.
> >
>
> How about this bug:
>
> http://www.sudo.ws/sudo/alerts/sudo_debug.html
>
> Impact: Successful exploitation of the bug will allow a user to run
> arbitrary commands as root.
>
> Exploitation of the bug does not require that the attacker be listed
> in the sudoers file. As such, we strongly suggest that affected sites
> upgrade from affected sudo versions as soon as possible.
>
How valid is that considering that Wheezy is using sudo
version 1.8.5p2-1+nmu1 ? May I assume that there are still a lot of
non-upgraded machines out there? Maybe best advice would be to upgrade
their whole Debian.
Cybe R. Wizard
--
Nice computers don't go down.
Larry Niven, Steven Barnes
"The Barsoom Project"
Reply to: