On Mon, Oct 28, 2013 at 10:19:43AM -0600, Joe Pfeiffer wrote: > Reco <recovery...@gmail.com> writes: > >> You also have to add to the picture such a vulnerability, and I haven't > >> noticed any. > > > > If we're speaking of public vulnerabilities: > > > > CVE-2010-0427. > > Does not permit users outside of those in the sudoers file (or with the > root password) to escalate privileges.
Lessens attack surface, but doesn't void the existence of vulnerability. > > > CVE-2013-1775 (allows bypass sudoders modification to retain root > > privileges). > > Again -- isn't "basically equivalent to giving everyone uid=0." Permits > someone who *has* sudo access to avoid retyping a password. Not only that. Permits someone who already has sudo access to continue having such access indefinitely, ignoring being excluded from sudoers altogether. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131028181130.GB29376@x101h
