[rt-devel] possible security bug

Paul Lussier pll at mclinux.com
Thu Jan 17 16:22:31 EST 2002


In a message dated: Thu, 17 Jan 2002 15:09:15 CST
dphull at ku.edu said:

>I'm not sure this is a real security problem. According to the sudo
>manpage, the current directory "." is checked last to prevent command
>spoofing.
>
>The problem with setting an explicit path is that stty may not always be
>in the same place from one flavor of *nix to another. Setting a path
>comprised of "well known" directories should work for most distros.

That's the problem autoconf/automake solve.  However, if you can 
figure out how to get this to work easily with perl packages, please 
let me know :)

>Additionaly, if someone is using sudo, they are likely to be a trusted
>user or administrator of the box.

Well, yes, or they may have just succeeded in getting access to an 
account that is trusted enough to use sudo.

Granted, it's stretching pretty thin, but it's still possible that 
initdb *could* be used to grab total root access at some point because 
this problem.

I'm just the messenger here :)

I felt it my duty to point this out to the developers, that's the best I can do.
I understand the difficulties involved in accounting for every possible loop
hole.  Security is inversely propotional to productivity, after all.

Thanks for the quick response!
-- 

Seeya,
Paul
----

			  God Bless America!

	 If you're not having fun, you're not doing it right!

	...we don't need to be perfect to be the best around,
		and we never stop trying to be better. 
		       Tom Clancy, The Bear and The Dragon






More information about the Rt-devel mailing list