[5941] in bugtraq
Re: hole in sudo for MP-RAS.
daemon@ATHENA.MIT.EDU (Cy Schubert - ITSD Open Systems Gr)
Mon Jan 12 20:42:54 1998
Date: Mon, 12 Jan 1998 15:20:49 -0800
Reply-To: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <cschuber@UUMAIL.GOV.BC.CA>
X-To: osiris@courier.cb.lucent.com
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 12 Jan 1998 12:29:09 EST."
<9801121729.AA08545@atlas.cb.lucent.com>
> There is a bug in sudo versions (at least) 1.5.2 and 1.5.3 on NCR's MP-RAS
> that makes it trivial to bypass sudo's restrictions. I reported this to
> the sudo-bugs address given in the source on 12/23/97, but never heard back,
> so screw 'em. It is important to note that MP-RAS is one of the platforms
> listed in the RUNSON file included with the distribution, so there are
> probably many people running this; I imagine you will want to reconsider it
> if you are one of them.
This bug exists on all platforms. Sudo does not handle relative directories
properly . ../../../usr/bin/date would also bypasses the access list.
In short inclusion lists are are safe. Exclusion lists are not safe.
> --jml
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
UNIX Support OV/VM: BCSC02(CSCHUBER)
ITSD BITNET: CSCHUBER@BCSC02.BITNET
Government of BC Internet: cschuber@uumail.gov.bc.ca
Cy.Schubert@gems8.gov.bc.ca
"Quit spooling around, JES do it."
