Re: hole in sudo for MP-RAS.

[dsiebert () ICAEN UIOWA EDU (dsiebert () ICAEN UIOWA EDU)]

> I've been able to reproduce the exploit using cu-sudo 1.5.3 under DEC UNIX
> 4.0B and FreeBSD 2.2.5.  After looking at the code the bug can be exploited on
> any platform.
>
> Here is a patch to fix the problem, assuming your operating system of choice
> supports realpath(3).  *BSD, Linux, Solaris, SunOS, DEC UNIX, AIX, and DG/UX
> should have no problem with this patch.


Seems to me that fixing the "exclude" stuff in sudo is a bit harder than just
verifying the path is on the exclude list.  Any exclude list should default
automaticaly to only letting you run stuff owned by root (or bin, or whatever
owns your system binaries)  Otherwise a user can just make a copy of (or
compile) something banned.  Though realistically, I don't see how you could
make an exclude list complete enough to avoid letting a user run a shell, at
which point the user can do anything anyway.

--
Douglas Siebert                Director of Computing Facilities
douglas-siebert () uiowa edu      Division of Mathematical Sciences, U of Iowa

If you let the system beat you long enough, eventually it'll get tired.