> There is a bug in sudo versions (at least) 1.5.2 and 1.5.3 on NCR's MP-RAS
> that makes it trivial to bypass sudo's restrictions. I reported this to
> the sudo-bugs address given in the source on 12/23/97, but never heard back,
> so screw 'em. It is important to note that MP-RAS is one of the platforms
> listed in the RUNSON file included with the distribution, so there are
> probably many people running this; I imagine you will want to reconsider it
> if you are one of them.
This bug exists on all platforms. Sudo does not handle relative directories
properly . ../../../usr/bin/date would also bypasses the access list.
In short inclusion lists are are safe. Exclusion lists are not safe.
> --jml
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
UNIX Support OV/VM: BCSC02(CSCHUBER)
ITSD BITNET: CSCHUBER_at_BCSC02.BITNET
Government of BC Internet: cschuber_at_uumail.gov.bc.ca
Cy.Schubert_at_gems8.gov.bc.ca
"Quit spooling around, JES do it."
Received on Jan 12 1998
Intro
