Reco <recovery...@gmail.com> writes: > On Mon, Oct 28, 2013 at 10:19:43AM -0600, Joe Pfeiffer wrote: >> Reco <recovery...@gmail.com> writes: >> >> You also have to add to the picture such a vulnerability, and I haven't >> >> noticed any. >> > >> > If we're speaking of public vulnerabilities: >> > >> > CVE-2010-0427. >> >> Does not permit users outside of those in the sudoers file (or with the >> root password) to escalate privileges. > > Lessens attack surface, but doesn't void the existence of vulnerability. > >> >> > CVE-2013-1775 (allows bypass sudoders modification to retain root >> > privileges). >> >> Again -- isn't "basically equivalent to giving everyone uid=0." Permits >> someone who *has* sudo access to avoid retyping a password. > > Not only that. Permits someone who already has sudo access to continue > having such access indefinitely, ignoring being excluded from sudoers > altogether.
You made a specific claim, that sudo without patches is "basically equivalent to giving everyone uid=0". You have yet to say anything that even begins to substantiate that claim. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1b4n7vik0q....@snowball.wb.pfeifferfamily.net
