It looks pretty fishy that this code is trying to run sudo at all. Surely
that should be done by a deployment script, rather than by a CPAN module.
Everyone should update their /etc/sudoers to avoid the all-too-common
security hole that allows sudo to be run by any process and without
authenticating, within a five minute window of another sudo command having
been run.
Add this to /etc/sudoers:
Defaults timestamp_timeout=0
This will then require you to authenticate *for every sudo command*, which
is the only way to prevent malicious or naive code to run as root.
On Tue, Apr 28, 2015 at 8:46 AM, Nigel Horne <n...@bandsman.co.uk> wrote:
> On 4/28/15 11:40 AM, David Golden wrote:
>
>> I raised it on #mojo and it's been fixed:
>>
>> https://metacpan.org/changes/release/JHTHORSEN/Toadfarm-0.56
>>
>
> Great - thanks.
>
>>
>> David
>>
>>
>> -Nigel
>
>
