<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos

Bugtraq: Re: hole in sudo for MP-RAS.

Re: hole in sudo for MP-RAS.

From: Todd C. Miller <Todd.Miller_at_COURTESAN.COM>
Date: Mon, 12 Jan 1998 21:53:37 -0700

In message <199801130402.WAA09191_at_l-ecn004.icaen.uiowa.edu>
so spake (dsiebert):

> Seems to me that fixing the "exclude" stuff in sudo is a bit harder than just
> verifying the path is on the exclude list. Any exclude list should default
> automaticaly to only letting you run stuff owned by root (or bin, or whatever
> owns your system binaries) Otherwise a user can just make a copy of (or
> compile) something banned. Though realistically, I don't see how you could
> make an exclude list complete enough to avoid letting a user run a shell, at
> which point the user can do anything anyway.

excluding things from 'ALL' is pretty much meaningless for the
reasons you've noted above. The exclusion facility is really only
useful for subtractings things from a real list...

- todd
Received on Jan 13 1998

This message: [ Message body ]
Next message: Todd C. Miller: "Re: hole in sudo for MP-RAS."
Previous message: MATTHEW POTTER: "Correction: CPSN 9:971208: Solaris /var Permission Problems"
In reply to: dsiebert_at_ICAEN.UIOWA.EDU: "Re: hole in sudo for MP-RAS."
Next in thread: CPIO Advisory Role Account: "CPSN 9:971208: Solaris /var Permission Problems"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]

edgeos