LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
LinkBack Search this Thread
Old 03-05-2013, 12:25 PM   #1
fskmh
Member
 
Registered: Jun 2002
Location: South Africa
Distribution: Slackware64-current multilib
Posts: 225

Rep: Reputation: 52
Security vulnerability in sudo allows privilege escalation


Interesting vulnerability that allows a user listed in /etc/sudoers to bypass authentication by resetting the time stamp file with "sudo -k" or removing it with "sudo -K".

http://www.sudo.ws/sudo/alerts/epoch_ticket.html

Probably not as big a deal for Slackware as it could be for *buntu but perhaps this could be a convenient time for Pat to upgrade sudo anyway.

I've built 1.8.6p7 using the SlackBuild in current and sudo seems to function as it did before.
 
Old 03-05-2013, 01:03 PM   #2
GazL
Senior Member
 
Registered: May 2008
Posts: 3,231

Rep: Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828
Anyone with any sense will have set "timestamp_timeout = 0" as the sudo password caching thing is inherently insecure anyway.
It's even worse for Ubuntu of course because of their idiotic misuse of sudo i.e "ALL = (ALL) ALL" rather than more specific targeting of allowed commands.

Besides, if unprivileged users can change your system time then IMO you have bigger problems.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Think I might have just hit a privilege escalation bug Cultist Linux - General 3 06-09-2011 06:33 AM
postfix local privilege escalation... trist007 Linux - Security 4 03-30-2011 02:55 PM
Privilege Escalation - Getting 'root' privilege Rahil Parikh Linux - Security 2 12-02-2010 01:04 AM
Intel CPU Privilege Escalation Exploit H_TeXMeX_H Linux - Security 4 04-22-2009 03:57 PM
Linux Privilege Escalation The.Hammer.911 Linux - Security 1 05-10-2007 06:07 PM


All times are GMT -5. The time now is 02:50 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration