> ... someone with access to a single account could use this to > gain the password for that account, and hence possibly sudo access.
Oh yes, someone with access to an account has... access to that. If he wanted sudo, then just have a fake sudo: one that traps the password and runs the real sudo after; or one that runs the real sudo but prepending the "bad" command. Cheers, Paul Paul Szabo [email protected] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
