| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 11 Jul 2003 11:30:12 -0700
From: Stephen Samuel <samuel@...reen.com>
To: Jon Hart <warchild@...ofed.org>
Cc: vuln-dev@...urityfocus.com, bugtraq@...urityfocus.com
Subject: Re: Red Hat 9: free tickets
Jon Hart wrote:
> On Sun, Jul 06, 2003 at 12:30:34PM -0700, Stephen Samuel wrote:
>>Proof of concept:
>>
>>as youreslf:
>>ln -s /var/run/sudo/$USER/unknown:root /tmp/oops
>>
>>as root:
>>touch /tmp/oops
> Actually, I'm not sure this entirely true. Well, it is, but there is
> another important condition that must be met for this (or similar)
> attacks to work properly -- /var/run/sudo/$USER/ must exist. This means
> that the user must have previously sudo'd at lease once and
> /var/run/sudo/$USER/ will have been created.
Yep. that sounds accurate, but it just raised another point for me
(not quite blazingly obvious, but an issue to remember, nontheless):
If, as an administrator, you use the GUI password thing to acces
an admin function, you have to remember to (must be done as root)(
remove the /var/run/sudo/$USER/* files -- or else the user has
(essentially) full root prives until the file expires.
I think that redhat should allow some way (and I really think
it should be the default state) for people to indicate that
they do *NOT* want the system to remember that authorization.
--
Stephen Samuel +1(604)876-0426 samuel@...reen.com
http://www.bcgreen.com/~samuel/
Powerful committed communication. Transformation touching
the jewel within each person and bring it to life.
Powered by blists - more mailing lists