On 2010-01-30 09:02 +0100, Luk Claes wrote: > Fran�s Boisson wrote: >> Severity: critical >> Tags: security >> Justification: root security hole > > I think this is very much overinflated and I fail to see the security hole. > >> sudo's default configuration is with a timestamp of 15' > > I don't see the problem with that. > >> and without tty_tickets. > > Neither do I see a problem with this.
The problem is that Trojan horses exploiting bugs that lead to arbitrary code execution can gain root access much more easily without tty_tickets. > tty tickets don't solve anything, they just make the 15' happen per tty > instead of globally AFAICS. Which would still reduce the attack vectors a lot. Exploits for your web browser would not be able to obtain root rights via sudo, for instance. > Personally I would find it very unfortunate if this change would be applied. Could you elaborate? Clearly tty_tickets reduce convenience, but a more secure default would be worth it, IMHO. > The real problem you experience seems to be that you don't like the > default Ubuntu uses as sudo configuration, no? I find this question a bit hard to understand, given that Ubuntu _does_ enable tty_tickets by default at least since Hardy… That being said, I agree that the severity is exaggerated. Sven -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87vddwthcu....@turtle.gmx.de
