Reco <recovery...@gmail.com> writes: > On Sun, Oct 27, 2013 at 09:28:51PM -0600, Joe Pfeiffer wrote: >> Reco <recovery...@gmail.com> writes: >> > True, you need to add to the picture that curious user who just read on >> > Bugtraq or Full Disclosure about fresh vulnerability in sudo. Or that >> > disgruntled user who needs /etc/system changed right here and now. Or >> > that developer who needs to do this 'small change, nobody will notice' >> > on a production server. >> > And if you don't have such people there - good for you, as here we can >> > always find such person here. >> >> You also have to add to the picture such a vulnerability, and I haven't >> noticed any. > > If we're speaking of public vulnerabilities: > > CVE-2010-0427.
Does not permit users outside of those in the sudoers file (or with the root password) to escalate privileges. > CVE-2013-1775 (allows bypass sudoders modification to retain root > privileges). Again -- isn't "basically equivalent to giving everyone uid=0." Permits someone who *has* sudo access to avoid retyping a password. > I have no knowledge about private 0days. > > Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1bvc0hcqqo....@snowball.wb.pfeifferfamily.net