[prev in list] [next in list] [prev in thread] [next in thread] 

List:       vuln-dev
Subject:    Re: Red Hat 9: free tickets
From:       Stephen Samuel <samuel () bcgreen ! com>
Date:       2003-07-11 18:30:12
[Download RAW message or body]

Jon Hart wrote:
> On Sun, Jul 06, 2003 at 12:30:34PM -0700, Stephen Samuel wrote:

>>Proof of concept:
>>
>>as youreslf:
>>ln -s /var/run/sudo/$USER/unknown:root /tmp/oops
>>
>>as root:
>>touch /tmp/oops

> Actually, I'm not sure this entirely true.  Well, it is, but there is
> another important condition that must be met for this (or similar)
> attacks to work properly -- /var/run/sudo/$USER/ must exist.  This means
> that the user must have previously sudo'd at lease once and
> /var/run/sudo/$USER/ will have been created.

Yep. that sounds accurate, but it just raised another point for me
(not quite blazingly obvious, but an issue to remember, nontheless):

If, as an administrator, you use the GUI password thing to acces
an admin function, you have to remember to (must be done as root)(
remove the /var/run/sudo/$USER/* files -- or else the user has
(essentially) full root prives until the file expires.

I think that redhat should allow some way (and I really think
it should be the default state) for people to indicate that
they do *NOT* want the system to remember that authorization.

-- 
Stephen Samuel +1(604)876-0426                samuel@bcgreen.com
		   http://www.bcgreen.com/~samuel/
    Powerful committed communication. Transformation touching
        the jewel within each person and bring it to life.

[prev in list] [next in list] [prev in thread] [next in thread]