Bugtraq mailing list archives
Re: Bug is sudo?
From: Todd.Miller () COURTESAN COM (Todd C. Miller)
Date: Sat, 27 Jun 1998 14:27:56 -0600
Of course, this only works if you exist in the sudoers file, which makes it pretty benign. I agree that sudo should ask for a password and this is fixed in sudo 1.5.4p1, available now from: ftp://ftp.cs.colorado.edu/pub/sudo/cu-sudo.v1.5.4p1.tar.Z It is still possible for a user in sudoers to probe for binaries but it's not really possible to disable that without making it impossible for a sudo user to know *which* version of a command was disallowed (for instance, sudoers may specify the system "ls" and the user may have the GNU version first in their path). - todd
Current thread:
- Re: ncftp 2.4.3 bug, (continued)
- Re: ncftp 2.4.3 bug Paul Boehm (Jun 22)
- Re: ncftp 2.4.3 bug Liviu Daia (Jun 23)
- textcounter.pl SECURITY HOLE Doru Petrescu (Jun 23)
- Re: textcounter.pl SECURITY HOLE Rich Lafferty (Jun 24)
- Yipes named attack Anonymous (Jun 24)
- security hole in mailx Alvaro Martinez Echevarria (Jun 24)
- Re: security hole in mailx gold (Jun 25)
- Re: security hole in mailx Casper Dik (Jun 25)
- Bug is sudo? Rhodie (Jun 25)
- Re: Bug is sudo? Warner Losh (Jun 26)
- Re: Bug is sudo? Todd C. Miller (Jun 27)
- Re: security hole in mailx Alvaro Martinez Echevarria (Jun 25)
- Re: security hole in mailx Ben Collins (Jun 25)
- Re: security hole in mailx Theo de Raadt (Jun 25)
- guestbook script is still vulnerable under apache Stunt Pope (Jun 25)
- Re: guestbook script is still vulnerable under apache Theo Van Dinter (Jun 25)
- Re: guestbook script is still vulnerable under apache Andru Luvisi (Jun 25)
- Re: guestbook script is still vulnerable under apache Lincoln Stein (Jun 26)
- dip-3.3.7p exploit (stackpatch_ Thomas Troeger (Jun 26)
- And another qpopper overflow (does this make 3?) Aaron D. Gifford (Jun 28)
- Re: dip-3.3.7p exploit (stackpatch_ M.C.Mar (Jun 28)