Package: mc Version: 1:4.6.1-6 Severity: critical Tags: security Justification: root security hole
Hello, When a user appearing in the sudoers file use the following command : $sudo mc Midnight Commander starts within a root shell. Look at the bottom left of the mc screen : [EMAIL PROTECTED]:~# Also, 'whoami' reports 'root'. Then the user as full access to the filesystem has the root user. It occurs even if the sudoers file do not allow access to the /usr/bin/su command to the user. I don't know if it is a feature, but it looks strange to me. I think that system administrators using sudo functionnalities should be aware of this behaviour. PS : This behaviour occurs also with Ubuntu 8.04 (Hardy), on a standard desktop installation. Thanks. Regards, --- Mathieu RV -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-686 Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Versions of packages mc depends on: ii libc6 2.3.6.ds1-13etch7 GNU C Library: Shared libraries ii libglib2.0-0 2.12.4-2 The GLib library of C routines ii libgpmg1 1.19.6-25 General Purpose Mouse - shared lib ii libslang2 2.0.6-4 The S-Lang programming library - r mc recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]