Ralf Mardorf wrote: > http://www.paritynews.com/2013/03/05/762/sudo-authentication-bypass-vulnerability-emerges/ In the article: ... it must be possible for users to modify the system time without entering a password. How would this be accomplished? (Answer cannot contain a use of sudo! No circular logic please.) Regardless, Debian is already shipping versions which addresses that concern. It was reported 27-Feb-2013 and closed as fixed on 01-Mar-2013. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701838 > But note! The Chaos Computer Club does publish howtos using sudo on > Linux: http://muc.ccc.de/uberbus:ubd > > I don't think the Chaos Computer Club folks would write a howto using > sudo, if sudo would be a security risk. Right. Because normal users can't change the system time. If they could other attacks would also be possible. Bob
Attachment:
signature.asc
Description: Digital signature