Re: hole in sudo for MP-RAS.

dsiebert@ICAEN.UIOWA.EDU
Mon, 12 Jan 1998 22:02:53 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Chip Salzenberg: "[SIGNED] Buffer overflows in Deliver: get 2.1.13"
Previous message: Todd C. Miller: "Re: hole in sudo for MP-RAS."
Maybe in reply to: osiris@COURIER.CB.LUCENT.COM: "hole in sudo for MP-RAS."
Next in thread: Todd C. Miller: "Re: hole in sudo for MP-RAS."

>
> I've been able to reproduce the exploit using cu-sudo 1.5.3 under DEC UNIX
> 4.0B and FreeBSD 2.2.5. After looking at the code the bug can be exploited on
> any platform.
>
> Here is a patch to fix the problem, assuming your operating system of choice
> supports realpath(3). *BSD, Linux, Solaris, SunOS, DEC UNIX, AIX, and DG/UX
> should have no problem with this patch.
>

Seems to me that fixing the "exclude" stuff in sudo is a bit harder than just
verifying the path is on the exclude list. Any exclude list should default
automaticaly to only letting you run stuff owned by root (or bin, or whatever
owns your system binaries) Otherwise a user can just make a copy of (or
compile) something banned. Though realistically, I don't see how you could
make an exclude list complete enough to avoid letting a user run a shell, at
which point the user can do anything anyway.

--
Douglas Siebert                Director of Computing Facilities
douglas-siebert@uiowa.edu      Division of Mathematical Sciences, U of Iowa

If you let the system beat you long enough, eventually it'll get tired.

Next message: Chip Salzenberg: "[SIGNED] Buffer overflows in Deliver: get 2.1.13"
Previous message: Todd C. Miller: "Re: hole in sudo for MP-RAS."
Maybe in reply to: osiris@COURIER.CB.LUCENT.COM: "hole in sudo for MP-RAS."
Next in thread: Todd C. Miller: "Re: hole in sudo for MP-RAS."