Subject: Re: [ [Global InterSec 2002041701] Sudo Password Prompt Vulnerability.]
To: Jan Schaumann <>
From: Thor Lancelot Simon <>
List: tech-security
Date: 04/25/2002 11:26:04
On Thu, Apr 25, 2002 at 11:05:29AM -0400, Jan Schaumann wrote:
> Attached find a patch to include into pkgsrc/security/sudo/patches to
> fix this problem.

Shame it doesn't fix the fundamental problem with sudo: it is almost
impossible to actually set it up so that the access of a sudoer is
truly restricted.  I've almost never walked up to a system with sudo
installed and spent more than ten minutes looking around before finding
a way to use sudo to gain unrestricted root access.  Heck, many places,
the most common thing sudo is used for is to run /bin/sh! ;-)

A lot of people don't want sudo; they want su -c and don't know that
it exists.  But with sudo, they get to be deceived into thinking that
they have somehow increased the security of their systems... not good.