LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Security vulnerability in sudo allows privilege escalation (http://www.linuxquestions.org/questions/slackware-14/security-vulnerability-in-sudo-allows-privilege-escalation-4175452815/)

fskmh 03-05-2013 01:25 PM

Security vulnerability in sudo allows privilege escalation
 
Interesting vulnerability that allows a user listed in /etc/sudoers to bypass authentication by resetting the time stamp file with "sudo -k" or removing it with "sudo -K".

http://www.sudo.ws/sudo/alerts/epoch_ticket.html

Probably not as big a deal for Slackware as it could be for *buntu but perhaps this could be a convenient time for Pat to upgrade sudo anyway.

I've built 1.8.6p7 using the SlackBuild in current and sudo seems to function as it did before.

GazL 03-05-2013 02:03 PM

Anyone with any sense will have set "timestamp_timeout = 0" as the sudo password caching thing is inherently insecure anyway.
It's even worse for Ubuntu of course because of their idiotic misuse of sudo i.e "ALL = (ALL) ALL" rather than more specific targeting of allowed commands.

Besides, if unprivileged users can change your system time then IMO you have bigger problems.


All times are GMT -5. The time now is 08:41 AM.