Hi, I'm trying to explain my concerns as best as possible. Please excuse me, if I repeat myself and make this mail longer than necessary ;-)
Am Freitag, den 03.12.2010, 13:28 -0700 schrieb Bdale Garbee: > Why do you think this is a security issue? If you put someone in group > sudo, you're giving them the keys to the kingdom. Yes that's correct, but usually I'll require everybody to *re-authenticate* himself before entering that kingdom. To put it simply: With the new /etc/sudoers every member of the sudo group can (almost) do whatever he likes *without* providing any password: For example he can place a malicious bash version in /usr/local/bin or similar. He can do this completely without re-authenticating himself. My question is: If members of the sudo group have to enter their password by default to change the UID, why can they change the GID without entering that password? I think that the only difference between UID==0 and GID==0 is, that the later one requires a bit more work to get full control over the system. But after all that doesn't make much of a difference. > Changing the primary > group with sudo -g doesn't *limit* the set of groups a member belongs > to, it just changes what the primary group is for the duration of the > command. So this just seems like normal and expected behavior to me. Yes, it actually is the normal, expected and even desired behavior. But IMHO allowing a user to change the primary GID is equally dangerous as changing the primary UID, therefore the same requirements should apply (Re-Authentication). Otherwise we could just add the NOPASSWD clause to the %sudo rule, as this would effectively not change the security situation. I hope this helps to understand my thoughts. Please correct me wherever I may be wrong! Best regards Alexander Kurtz
signature.asc
Description: This is a digitally signed message part
