Bug#567614: sudo's default configuration without tty-tickets
severity 567614 important thanks On Wed, Feb 17, 2010 at 09:08:01AM +0100, Sven Joachim wrote: On 2010-01-30 09:02 +0100, Luk Claes wrote: Fran???s Boisson wrote: Severity: critical Tags: security Justification: root security hole I think this is very much overinflated and I fail to see the security hole. That being said, I agree that the severity is exaggerated. I concur. Third time is a charme, so I'll fix the severity. This doesn't match the Security Team criteria for a RC security issues. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#567614: sudo's default configuration without tty-tickets
On 2010-01-30 09:02 +0100, Luk Claes wrote: Fran�s Boisson wrote: Severity: critical Tags: security Justification: root security hole I think this is very much overinflated and I fail to see the security hole. sudo's default configuration is with a timestamp of 15' I don't see the problem with that. and without tty_tickets. Neither do I see a problem with this. The problem is that Trojan horses exploiting bugs that lead to arbitrary code execution can gain root access much more easily without tty_tickets. tty tickets don't solve anything, they just make the 15' happen per tty instead of globally AFAICS. Which would still reduce the attack vectors a lot. Exploits for your web browser would not be able to obtain root rights via sudo, for instance. Personally I would find it very unfortunate if this change would be applied. Could you elaborate? Clearly tty_tickets reduce convenience, but a more secure default would be worth it, IMHO. The real problem you experience seems to be that you don't like the default Ubuntu uses as sudo configuration, no? I find this question a bit hard to understand, given that Ubuntu _does_ enable tty_tickets by default at least since Hardy… That being said, I agree that the severity is exaggerated. Sven -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87vddwthcu@turtle.gmx.de
Bug#567614: sudo's default configuration without tty-tickets
Fran�s Boisson wrote: Severity: critical Tags: security Justification: root security hole I think this is very much overinflated and I fail to see the security hole. sudo's default configuration is with a timestamp of 15' I don't see the problem with that. and without tty_tickets. Neither do I see a problem with this. So with a classical add of one user (just adding superman ALL=(ALL) ALL as it is done in Ubuntu for instance), a simple script like #!/bin/sh if [ -z $1 ] ; then FILE=$0 echo $FILE . $FILE vasy /dev/null 2 /dev/null else while /bin/true ; do echo sudo -n rm -Rf / /tmp/g sleep 60 done fi call one time by superman erase the file system as soon as a sudo call is done. This configuration is very used. Indeed, as soon as one managed to do the sudo call that would work, though I fail to see why it would be a problem in sudo. It works as expected. The package must be or configured with tty_tickets in sudoers file , or compiled with the option --with-tty-tickets. This solves the problem. tty tickets don't solve anything, they just make the 15' happen per tty instead of globally AFAICS. Personally I would find it very unfortunate if this change would be applied. The real problem you experience seems to be that you don't like the default Ubuntu uses as sudo configuration, no? Cheers Luk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#567614: sudo's default configuration without tty-tickets
So with a classical add of one user (just adding superman ALL=(ALL) ALL as it is done in Ubuntu for instance), a simple script like [...] call one time by superman erase the file system as soon as a sudo call is done. This configuration is very used. Indeed, as soon as one managed to do the sudo call that would work, though I fail to see why it would be a problem in sudo. It works as expected. The package must be or configured with tty_tickets in sudoers file , or compiled with the option --with-tty-tickets. This solves the problem. tty tickets don't solve anything, they just make the 15' happen per tty instead of globally AFAICS. tty-tickets solves this problem. If the script is called as many beginning users do by clecking on a joined file in mail for instance, or doing it in another xterm window, nothing happens with tty-tickets, but if there is not tty-tickets, sudo works without asking password. The real problem you experience seems to be that you don't like the default Ubuntu uses as sudo configuration, no? You are right, but I think the problem is here. It's to you to decide if it's really a problem (as I really think) or not. PS: Justification: root security hole I think this is very much overinflated and I fail to see the security hole. If it's a problem, it's a security hole. The question is «Is it a real problem or not. I did not find a good category in the reportbug (whishlist perhaps but as I think it's really a security problem...) Regards and thanks for your answer, for your ability to read my english and sorry if you think I'm wrong François Boisson -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#567614: sudo's default configuration without tty-tickets
Package: sudo Version: 1.7.2p1-1 Severity: critical Tags: security Justification: root security hole sudo's default configuration is with a timestamp of 15' and without tty_tickets. So with a classical add of one user (just adding superman ALL=(ALL) ALL as it is done in Ubuntu for instance), a simple script like #!/bin/sh if [ -z $1 ] ; then FILE=$0 echo $FILE . $FILE vasy /dev/null 2 /dev/null else while /bin/true ; do echo sudo -n rm -Rf / /tmp/g sleep 60 done fi call one time by superman erase the file system as soon as a sudo call is done. This configuration is very used. The package must be or configured with tty_tickets in sudoers file , or compiled with the option --with-tty-tickets. This solves the problem. François Boisson (sorry for English faults) -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.30-2-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages sudo depends on: ii libc6 2.10.2-2 GNU C Library: Shared libraries ii libpam-modules1.1.0-4Pluggable Authentication Modules f ii libpam0g 1.1.0-4Pluggable Authentication Modules l sudo recommends no packages. sudo suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org