Isn't the real meat of this issue the commands an unprivileged user is
permitted to execute via sudo?
Sudo isn't a blanket 'execute anything' unless it's set up that way.
Instead, you should carefully choose the specific command(s) that the user
needs to be allowed to execute. That should
PROTECTED]
Sent: Sunday, January 22, 2006 10:48 AM
To: Burton Strauss
Cc: 'Bernd Wurst'; bugtraq@securityfocus.com
Subject: Re: MySQL 5.0 information leak?
Burton Strauss wrote:
I'd get a refund on your coinage... root's password is not security by
obscurity, it is an undisclosed piece
Traditionally the schema for a database is NOT secure information.
Applications download this information to build queries on the fly.
The essential problem is relying on security by obscurity, I have user
accounts (nss) that have publicly available credentials but noone [sic]
should be able to