Hi, I really appreciate that you handle feature requests this quickly, but what about the concerns[1] I had? After upgrading sudo to 1.7.4p4-5 today and installing the new /etc/sudoers any member of the sudo group can do this:
$ sudo -k
$ sudo -g root id
uid=1000(alexander) gid=0(root) Gruppen=1000(alexander),27(sudo)
And this:
$
$ sudo -k
$ sudo -g staff touch /usr/local/bin/foo
$ ls -l /usr/local/bin/foo
-rw-r--r-- 1 alexander staff 0 Dec 3 18:03 /usr/local/bin/foo
$ sudo -g staff rm -v /usr/local/bin/foo
removed `/usr/local/bin/foo'
$
I think this is a security problem. Or am I missing something here?
Best regards
Alexander Kurtz
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602699#10
signature.asc
Description: This is a digitally signed message part
