Package: sudo
Version: 1.8.5p2-1+nmu2
Severity: normal

Dear Maintainer,

 I've noticed that sudo -l ususally seems to ask for a password.  If a
user though gets a single line configured with NOPASSWD, sudo -l doesn't
ask for any password and spits out all commands the user is able to run.

 This could be seen as information exposure.  Either the commands the
user can run shouldn't be password protected at all, regardless of
whether the user has a NOPASSWD line available, or the user should only
receive the NOPASSWD lines as output if they don't provide a password.

 I don't think it's a big deal in general, but it's a strange handling
of it and puzzled me because I considered the password question for
sudo -l to be somewhat of a security precaution of no information
exposure somehow.

 Thanks!
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los      |
Fühlst du dich hilflos, geh raus und hilf, los    | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los    |


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to