Date: Thu, 30 Jul 1998 11:09:31 -0700 From: Studded <Studded@san.rr.com> To: ports@FreeBSD.ORG, erich@rrnet.com Subject: Small bug in sudo 1.5.4 Message-ID: <35C0B6DB.C4B73BC8@san.rr.com>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------4BAE728D552C0D3C3AFD83AE
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
A while back a small bug was found in sudo, attached is the author's
response on bugtraq. I'm curious as to whether there are plans to
upgrade our port. It looks like Erich has things in good shape, so if he
doesn't have time to do it I would be willing to up the version and make
sure it works as it's port'ed now.
Doug
--
*** Chief Operations Officer, DALnet IRC network ***
When you don't know where you're going, every road will take you there.
- Yiddish Proverb
--------------4BAE728D552C0D3C3AFD83AE
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Received: from delivery.dal.net (delivery.dal.net [209.133.28.70])
by dt053nd2.san.rr.com (8.8.8/8.8.8) with ESMTP id KAA18636
for <studded@gor.org>; Mon, 29 Jun 1998 10:51:08 -0700 (PDT)
(envelope-from owner-bugtraq@NETSPACE.ORG)
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143]) by delivery.dal.net (8.8.5/DALnet) with ESMTP id KAA29139; Mon, 29 Jun 1998 10:47:47 -0700 (PDT)
X-Envelope-From: owner-bugtraq@NETSPACE.ORG
Received: from unknown@netspace.org (port 49184 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <916-32412>; Mon, 29 Jun 1998 12:39:31 -0400
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
spool id 1527893 for BUGTRAQ@NETSPACE.ORG; Mon, 29 Jun 1998 12:15:29
-0400
Received: from brimstone.netspace.org (brimstone.netspace.org
[128.148.157.143]) by netspace.org (8.8.7/8.8.7) with ESMTP id
MAA31716 for <BUGTRAQ@NETSPACE.ORG>; Mon, 29 Jun 1998 12:06:38 -0400
Received: from unknown@netspace.org (port 49184 [128.148.157.6]) by
brimstone.netspace.org with ESMTP id <96969-32411>; Mon, 29 Jun 1998
12:05:53 -0400
Approved-By: aleph1@DFW.NET
Received: from xerxes.courtesan.com (courtesan.com [199.45.131.58]) by
netspace.org (8.8.7/8.8.7) with ESMTP id QAA12552 for
<BUGTRAQ@NETSPACE.ORG>; Sat, 27 Jun 1998 16:28:04 -0400
Received: from xerxes.courtesan.com (IDENT:millert@localhost.courtesan.com
[127.0.0.1]) by xerxes.courtesan.com (8.9.0/8.9.0) with ESMTP id
OAA22337; Sat, 27 Jun 1998 14:27:57 -0600 (MDT)
References: <Pine.LNX.3.96.980626031539.9457A-100000@is-so.elite.nu>
Message-ID: <199806272027.OAA22337@xerxes.courtesan.com>
Date: Sat, 27 Jun 1998 14:27:56 -0600
Reply-To: "Todd C. Miller" <Todd.Miller@COURTESAN.COM>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: "Todd C. Miller" <Todd.Miller@COURTESAN.COM>
Subject: Re: Bug is sudo?
X-To: Rhodie <rhodie@NAC.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Fri, 26 Jun 1998 03:25:56 +0300."
<Pine.LNX.3.96.980626031539.9457A-100000@is-so.elite.nu>
Of course, this only works if you exist in the sudoers file, which
makes it pretty benign. I agree that sudo should ask for a password
and this is fixed in sudo 1.5.4p1, available now from:
ftp://ftp.cs.colorado.edu/pub/sudo/cu-sudo.v1.5.4p1.tar.Z
It is still possible for a user in sudoers to probe for binaries
but it's not really possible to disable that without making it
impossible for a sudo user to know *which* version of a command
was disallowed (for instance, sudoers may specify the system "ls"
and the user may have the GNU version first in their path).
- todd
--------------4BAE728D552C0D3C3AFD83AE--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?35C0B6DB.C4B73BC8>