Security vulnerability in sudo allows privilege escalation
Interesting vulnerability that allows a user listed in /etc/sudoers to bypass authentication by resetting the time stamp file with "sudo -k" or removing it with "sudo -K".
Probably not as big a deal for Slackware as it could be for *buntu but perhaps this could be a convenient time for Pat to upgrade sudo anyway.
I've built 1.8.6p7 using the SlackBuild in current and sudo seems to function as it did before.
Anyone with any sense will have set "timestamp_timeout = 0" as the sudo password caching thing is inherently insecure anyway.
It's even worse for Ubuntu of course because of their idiotic misuse of sudo i.e "ALL = (ALL) ALL" rather than more specific targeting of allowed commands.
Besides, if unprivileged users can change your system time then IMO you have bigger problems.
|All times are GMT -5. The time now is 02:56 PM.|