On Mon, Oct 28, 2013 at 01:14:33PM -0600, Bob Proulx wrote:
> Reco wrote:
> > Bob Proulx wrote:
> > > Is 'rpcbind' installed by default? I will need to look. I wonder why
> > > it would be there?
> >
> > Part of a NFS client, I guess. Package is not marked as an essential one,
> > though. Running a diskless client over NFS would be a curious trick
> > without NFS support enabled.
>
> NFS client is not enabled by default. So that wouldn't be it.
>
> I just tried a minimum installation of Debian Wheezy in a VM and
> rpcbind was not installed. Are you sure it is installed by default?
No, I'm unsure. May be it was minimum install + recommended server install
(whatever it is called now actually). Did minimum install had any
network services activated?
> > > CVE-2010-0427 is a local only exploit. (Failure to reset group
> > > permissions properly.) So it would need to be a locally known user in
> > > order to exploit it. Not the same as having written the password on a
> > > T-shirt and wearing it around.
> >
> > I fail to see how one could be given an SSH access to the host, be able
> > to use sudo (and do so successfully), and still not be a local user.
> > I must miss something here, can you please enlighten me?
>
> You said "using outdated sudo is an equivalent to wearing T-shirt with
> a root password written on it as an end result will be the same." I
> was refuting that statement. It isn't even close to being the same.
> Using sudo would require a local user exploit. You seem to agree that
> it would require a local user to exploit it. Having the root password
> publicly known does not require a local user. They are not the same
> class of issue at all. Not even close.
Point taken. And what about the end result ('user will get root privs')?
Reco
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131028201600.GA8940@x101h
