Bugtraq mailing list archives
Re: hole in sudo for MP-RAS.
From: Todd.Miller () COURTESAN COM (Todd C. Miller)
Date: Mon, 12 Jan 1998 21:53:37 -0700
In message <199801130402.WAA09191 () l-ecn004 icaen uiowa edu> so spake (dsiebert):
Seems to me that fixing the "exclude" stuff in sudo is a bit harder than just verifying the path is on the exclude list. Any exclude list should default automaticaly to only letting you run stuff owned by root (or bin, or whatever owns your system binaries) Otherwise a user can just make a copy of (or compile) something banned. Though realistically, I don't see how you could make an exclude list complete enough to avoid letting a user run a shell, at which point the user can do anything anyway.
excluding things from 'ALL' is pretty much meaningless for the reasons you've noted above. The exclusion facility is really only useful for subtractings things from a real list... - todd
Current thread:
- [SIGNED] Buffer overflows in Deliver: get 2.1.13, (continued)
- [SIGNED] Buffer overflows in Deliver: get 2.1.13 Chip Salzenberg (Jan 12)
- KSR[T] Advisory #6: deliver KSR[T] (Jan 12)
- Re: KSR[T] Advisory #6: deliver Chip Salzenberg (Jan 12)
- hole in sudo for MP-RAS. osiris () COURIER CB LUCENT COM (Jan 12)
- Re: hole in sudo for MP-RAS. Cy Schubert - ITSD Open Systems Group (Jan 12)
- Re: hole in sudo for MP-RAS. Todd C. Miller (Jan 12)
- Re: hole in sudo for MP-RAS. Cy Schubert - ITSD Open Systems Group (Jan 12)
- Re: hole in sudo for MP-RAS. Todd C. Miller (Jan 12)
- Re: hole in sudo for MP-RAS. Todd C. Miller (Jan 13)
- Re: hole in sudo for MP-RAS. dsiebert () ICAEN UIOWA EDU (Jan 12)
- Re: hole in sudo for MP-RAS. Todd C. Miller (Jan 12)
- CPSN 9:971208: Solaris /var Permission Problems CPIO Advisory Role Account (Jan 12)