Re: sudo and UNIXes
- To: debian-user@lists.debian.org
- Subject: Re: sudo and UNIXes
- From: Curt <curty@free.fr>
- Date: Sat, 2 Nov 2013 15:34:13 +0000 (UTC)
- Message-id: <[🔎] slrnl7a6ss.2cf.curty@einstein.electron.org>
- References: <5269D17C.6090504@optonline.net> <20131025183155.GB9627@hysteria.proulx.com> <20131025234110.478c8065ddd992139a38bc3e@gmail.com> <CAOdo=SyHvrF=gPje83ryhjf+iyrLc6AqMTdHbJbJtfDFoWttBg@mail.gmail.com> <20131026011611.f2a1e103756681a7d0e858e0@gmail.com> <CAOdo=SyowAJfhFf+4y-m52cew4OdCYHOG894yufXtGBnYXK3LA@mail.gmail.com> <20131027113150.5d165f99e540507a9892132f@gmail.com> <1b38nmdqfg.fsf@snowball.wb.pfeifferfamily.net> <20131028134702.GA23316@x101h> <1bvc0hcqqo.fsf@snowball.wb.pfeifferfamily.net> <20131028181130.GB29376@x101h> <[🔎] 1b4n7vik0q.fsf@snowball.wb.pfeifferfamily.net>
On 2013-11-02, Joe Pfeiffer <pfeiffer@cs.nmsu.edu> wrote:
>>>
>>> Again -- isn't "basically equivalent to giving everyone uid=0." Permits
>>> someone who *has* sudo access to avoid retyping a password.
>>
>> Not only that. Permits someone who already has sudo access to continue
>> having such access indefinitely, ignoring being excluded from sudoers
>> altogether.
>
> You made a specific claim, that sudo without patches is "basically
> equivalent to giving everyone uid=0". You have yet to say anything that
> even begins to substantiate that claim.
>
How about this bug:
http://www.sudo.ws/sudo/alerts/sudo_debug.html
Impact: Successful exploitation of the bug will allow a user to run arbitrary
commands as root.
Exploitation of the bug does not require that the attacker be listed in the
sudoers file. As such, we strongly suggest that affected sites upgrade from
affected sudo versions as soon as possible.
Reply to: