Subject: Re: [email@example.com: [Global InterSec 2002041701] Sudo Password Prompt Vulnerability.]
To: Jan Schaumann <firstname.lastname@example.org>
From: Thor Lancelot Simon <email@example.com>
Date: 04/25/2002 11:26:04
On Thu, Apr 25, 2002 at 11:05:29AM -0400, Jan Schaumann wrote:
> Attached find a patch to include into pkgsrc/security/sudo/patches to
> fix this problem.
Shame it doesn't fix the fundamental problem with sudo: it is almost
impossible to actually set it up so that the access of a sudoer is
truly restricted. I've almost never walked up to a system with sudo
installed and spent more than ten minutes looking around before finding
a way to use sudo to gain unrestricted root access. Heck, many places,
the most common thing sudo is used for is to run /bin/sh! ;-)
A lot of people don't want sudo; they want su -c and don't know that
it exists. But with sudo, they get to be deceived into thinking that
they have somehow increased the security of their systems... not good.