[21568] in bugtraq
Re: [ESA-20010711-02] sudo elevated privileges vulnerability
daemon@ATHENA.MIT.EDU (Steffen Dettmer)
Tue Jul 17 12:15:43 2001
Date: Tue, 17 Jul 2001 11:40:26 +0200
From: Steffen Dettmer <steffen@dett.de>
To: bugtraq@securityfocus.com
Message-ID: <20010717114026.I18366@dx.net.de>
Reply-To: Steffen Dettmer <steffen@dett.de>
Mail-Followup-To: Steffen Dettmer <steffen@dett.de>,
bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
In-Reply-To: <EFENJAPLAGBPEFAADBMPAENPCCAA.jonathan.zdziarski@micromuse.com>; from jonathan.zdziarski@micromuse.com on Mon, Jul 16, 2001 at 12:04:16PM -0400
Content-Transfer-Encoding: 8bit
* Jonathan A. Zdziarski wrote on Mon, Jul 16, 2001 at 12:04 -0400:
> If, however, you are looking for a good way to allow someone to
> edit files using sudo, and have already rejected the idea of
> using groups or acls, consider 'elvis'.
When you have a file writeable by root only, there's no need to
run the whole edit session as sudo root. You could create some
wrapper, which gets the file from a special non-privileged user
and puts it - after some consitency checks - at the right place.
Of course the file must not be a symlink and so on. By this, the
wrapper can do a diff -u and mail the result to root if desired.
I cannot understand why people run complex programs as root if
they need the privilege for a few system calls only!
oki,
Steffen
--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.
