[ On Thursday, April 25, 2002 at 11:26:04 (-0400), Thor Lancelot Simon wrote: ]
> Subject: Re: [lists@globalintersec.com: [Global InterSec 2002041701] Sudo Password Prompt Vulnerability.]
>
> On Thu, Apr 25, 2002 at 11:05:29AM -0400, Jan Schaumann wrote:
> > Attached find a patch to include into pkgsrc/security/sudo/patches to
> > fix this problem.
> 
> Shame it doesn't fix the fundamental problem with sudo: it is almost
> impossible to actually set it up so that the access of a sudoer is
> truly restricted.  I've almost never walked up to a system with sudo
> installed and spent more than ten minutes looking around before finding
> a way to use sudo to gain unrestricted root access.  Heck, many places,
> the most common thing sudo is used for is to run /bin/sh! ;-)

That's true of absolutely every system where I've seen it installed.

> A lot of people don't want sudo; they want su -c and don't know that
> it exists.  But with sudo, they get to be deceived into thinking that
> they have somehow increased the security of their systems... not good.

Amen.

And sudo users are too lazy for their own good.....

Sudo is a security bug waiting for an exploit.

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods@acm.org>;  <g.a.woods@ieee.org>;  <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>