On Wed, Dec 11, 2013 at 10:56 PM, Ralf Mardorf <ralf.mard...@alice-dsl.net> wrote: > > http://www.paritynews.com/2013/03/05/762/sudo-authentication-bypass-vulnerability-emerges/ > > But note! The Chaos Computer Club does publish howtos using sudo on > Linux: http://muc.ccc.de/uberbus:ubd > > I don't think the Chaos Computer Club folks would write a howto using > sudo, if sudo would be a security risk.
"There are few prerequisites for the attack to work: the user much be listed in the /etc/sudoers file; must have successfully authenticated to execute a sudo command once; and it must be possible for users to modify the system time without entering a password." Having someone upgrade his/her sudo privileges to "NOPASSWD:" isn't good but it isn't the end of the world when compared to an external attacker getting access to a system. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOdo=szj6ftmu-b-fnehhmhywgeuk+4+49g+psrksi7x0jj...@mail.gmail.com
