Subject: Re: [ [Global InterSec 2002041701] Sudo Password Prompt Vulnerability.]
To: None <>
From: Greg A. Woods <>
List: tech-security
Date: 04/25/2002 18:06:50
[ On Thursday, April 25, 2002 at 11:26:04 (-0400), Thor Lancelot Simon wrote: ]
> Subject: Re: [ [Global InterSec 2002041701] Sudo Password Prompt Vulnerability.]
> On Thu, Apr 25, 2002 at 11:05:29AM -0400, Jan Schaumann wrote:
> > Attached find a patch to include into pkgsrc/security/sudo/patches to
> > fix this problem.
> Shame it doesn't fix the fundamental problem with sudo: it is almost
> impossible to actually set it up so that the access of a sudoer is
> truly restricted.  I've almost never walked up to a system with sudo
> installed and spent more than ten minutes looking around before finding
> a way to use sudo to gain unrestricted root access.  Heck, many places,
> the most common thing sudo is used for is to run /bin/sh! ;-)

That's true of absolutely every system where I've seen it installed.

> A lot of people don't want sudo; they want su -c and don't know that
> it exists.  But with sudo, they get to be deceived into thinking that
> they have somehow increased the security of their systems... not good.


And sudo users are too lazy for their own good.....

Sudo is a security bug waiting for an exploit.

								Greg A. Woods

+1 416 218-0098;  <>;  <>;  <>
Planix, Inc. <>; VE3TCP; Secrets of the Weird <>