Fran�s Boisson wrote: > Severity: critical > Tags: security > Justification: root security hole
I think this is very much overinflated and I fail to see the security hole. > sudo's default configuration is with a timestamp of 15' I don't see the problem with that. > and without tty_tickets. Neither do I see a problem with this. > So with a classical add of one user (just adding > > superman ALL=(ALL) ALL > > as it is done in Ubuntu for instance), a simple script like > > #!/bin/sh > if [ -z $1 ] ; then > FILE=$0 > echo $FILE > . $FILE vasy > /dev/null 2> /dev/null & > else > while /bin/true ; do > echo sudo -n rm -Rf / >> /tmp/grrrr > sleep 60 > done > fi > > call one time by superman erase the file system as soon > as a sudo call is done. This configuration is very used. Indeed, as soon as one managed to do the sudo call that would work, though I fail to see why it would be a problem in sudo. It works as expected. > The package must be or configured with tty_tickets in sudoers > file , or compiled with the option --with-tty-tickets. This solves > the problem. tty tickets don't solve anything, they just make the 15' happen per tty instead of globally AFAICS. Personally I would find it very unfortunate if this change would be applied. The real problem you experience seems to be that you don't like the default Ubuntu uses as sudo configuration, no? Cheers Luk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
