Subject: "Todd C. Miller": Re: Bug is sudo?
To: None <tech-pkg@NetBSD.ORG>
From: Perry E. Metzger <perry@piermont.com>
List: tech-pkg
Date: 06/29/1998 15:53:09
--Multipart_Mon_Jun_29_15:53:08_1998-1
Content-Type: text/plain; charset=US-ASCII


Apparently there has been a security bug in sudo (which is one of our
packages).


--Multipart_Mon_Jun_29_15:53:08_1998-1
Content-Type: message/rfc822

Delivery-Date: Mon Jun 29 14:55:25 1998
Approved-By: aleph1@DFW.NET
References: <Pine.LNX.3.96.980626031539.9457A-100000@is-so.elite.nu>
Message-ID: <199806272027.OAA22337@xerxes.courtesan.com>
Date: 	Sat, 27 Jun 1998 14:27:56 -0600
Reply-To: "Todd C. Miller" <Todd.Miller@COURTESAN.COM>
From: "Todd C. Miller" <Todd.Miller@COURTESAN.COM>
Subject:      Re: Bug is sudo?
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  Your message of "Fri, 26 Jun 1998 03:25:56 +0300." 
              <Pine.LNX.3.96.980626031539.9457A-100000@is-so.elite.nu>

Of course, this only works if you exist in the sudoers file, which
makes it pretty benign.  I agree that sudo should ask for a password
and this is fixed in sudo 1.5.4p1, available now from:
    ftp://ftp.cs.colorado.edu/pub/sudo/cu-sudo.v1.5.4p1.tar.Z

It is still possible for a user in sudoers to probe for binaries
but it's not really possible to disable that without making it
impossible for a sudo user to know *which* version of a command
was disallowed (for instance, sudoers may specify the system "ls"
and the user may have the GNU version first in their path).

 - todd

--Multipart_Mon_Jun_29_15:53:08_1998-1--