[5945] in bugtraq
Re: hole in sudo for MP-RAS.
daemon@ATHENA.MIT.EDU (dsiebert@ICAEN.UIOWA.EDU)
Tue Jan 13 00:01:13 1998
Date: Mon, 12 Jan 1998 22:02:53 -0600
Reply-To: douglas-siebert@uiowa.edu
From: dsiebert@ICAEN.UIOWA.EDU
X-To: cschuber@uumail.gov.bc.ca
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199801130254.SAA13611@cwsys.cwsent.com> from "Cy Schubert - ITSD
Open Systems Group" at Jan 12, 98 06:54:13 pm
>
> I've been able to reproduce the exploit using cu-sudo 1.5.3 under DEC UNIX
> 4.0B and FreeBSD 2.2.5. After looking at the code the bug can be exploited on
> any platform.
>
> Here is a patch to fix the problem, assuming your operating system of choice
> supports realpath(3). *BSD, Linux, Solaris, SunOS, DEC UNIX, AIX, and DG/UX
> should have no problem with this patch.
>
Seems to me that fixing the "exclude" stuff in sudo is a bit harder than just
verifying the path is on the exclude list. Any exclude list should default
automaticaly to only letting you run stuff owned by root (or bin, or whatever
owns your system binaries) Otherwise a user can just make a copy of (or
compile) something banned. Though realistically, I don't see how you could
make an exclude list complete enough to avoid letting a user run a shell, at
which point the user can do anything anyway.
--
Douglas Siebert Director of Computing Facilities
douglas-siebert@uiowa.edu Division of Mathematical Sciences, U of Iowa
If you let the system beat you long enough, eventually it'll get tired.
