Curt cu...@free.fr writes:
On 2013-11-02, Joe Pfeiffer pfeif...@cs.nmsu.edu wrote:
Again -- isn't basically equivalent to giving everyone uid=0. Permits
someone who *has* sudo access to avoid retyping a password.
Not only that. Permits someone who already has sudo access to continue
Reco recovery...@gmail.com writes:
Hi.
On Sat, 2 Nov 2013 11:46:48 -0500
Cybe R. Wizard cybe_r_wiz...@earthlink.net wrote:
How about this bug:
http://www.sudo.ws/sudo/alerts/sudo_debug.html
Impact: Successful exploitation of the bug will allow a user to run
arbitrary commands
On 2013-11-02, Joe Pfeiffer pfeif...@cs.nmsu.edu wrote:
Again -- isn't basically equivalent to giving everyone uid=0. Permits
someone who *has* sudo access to avoid retyping a password.
Not only that. Permits someone who already has sudo access to continue
having such access indefinitely,
On Sat, 2 Nov 2013 15:34:13 + (UTC)
Curt cu...@free.fr wrote:
On 2013-11-02, Joe Pfeiffer pfeif...@cs.nmsu.edu wrote:
Again -- isn't basically equivalent to giving everyone uid=0.
Permits someone who *has* sudo access to avoid retyping a
password.
Not only that. Permits someone
On 2013-11-02, Cybe R. Wizard cybe_r_wiz...@earthlink.net wrote:
http://www.sudo.ws/sudo/alerts/sudo_debug.html
Impact: Successful exploitation of the bug will allow a user to run
arbitrary commands as root.
Exploitation of the bug does not require that the attacker be listed
in the
Hi.
On Sat, 2 Nov 2013 11:46:48 -0500
Cybe R. Wizard cybe_r_wiz...@earthlink.net wrote:
How about this bug:
http://www.sudo.ws/sudo/alerts/sudo_debug.html
Impact: Successful exploitation of the bug will allow a user to run
arbitrary commands as root.
Exploitation of the bug
On Thu, Oct 31, 2013 at 09:35:16PM +, Curt wrote:
On 2013-10-31, Chris Bannister cbannis...@slingshot.co.nz wrote:
So you could shoot kids in halloween costumes for illegally being on
your property?
Only if they've been through your underwear (_very_
puritanical country).
If it was
On 2013-10-31, Thierry Chatelet tchate...@free.fr wrote:
On Thursday 31 October 2013 15:33:25 Bob Proulx wrote:
Note that I didn't say that I *would* shoot them dead.
Maybe shoot them just injured ? /Smilet/
Thierry
Right, he would've just blown their kneecaps out so they couldn't run
away
On Thu, Oct 31, 2013 at 4:33 PM, Bob Proulx b...@proulx.com wrote:
What would any of us do if confronted by a burgler
in the middle of the night while we were home and woken up from a
sound sleep? Ceratinly a terrifying situation. Calm thinking does
not happen at such times.
Agreed. Even
Reco recovery...@gmail.com writes:
On Mon, Oct 28, 2013 at 10:19:43AM -0600, Joe Pfeiffer wrote:
Reco recovery...@gmail.com writes:
You also have to add to the picture such a vulnerability, and I haven't
noticed any.
If we're speaking of public vulnerabilities:
CVE-2010-0427.
On Mon, Oct 28, 2013 at 03:38:12PM -0600, Bob Proulx wrote:
Case 1: I find that someone in my family who lives in my house has
rumaged through my underwear drawer. A violation of trust has
occurred. I am unhappy and will talk with them and give them a harsh
lecture. This is not appropriate
On Thursday, October 31, 2013 02:22:40 PM Chris Bannister wrote:
On Mon, Oct 28, 2013 at 03:38:12PM -0600, Bob Proulx wrote:
Case 1: I find that someone in my family who lives in my house has
rumaged through my underwear drawer. A violation of trust has
occurred. I am unhappy and will
Chris Bannister writes:
So you could shoot kids in halloween costumes for illegally being on
your property?
If you catch them in your bedroom rifling through your underwear,
maybe. There is no state in the union where the mere fact that someone
was trespassing is a valid murder defense.
--
Neal Murphy wrote:
Chris Bannister wrote:
Bob Proulx wrote:
Case 1: I find that someone in my family who lives in my house has
rumaged through my underwear drawer. A violation of trust has
occurred. I am unhappy and will talk with them and give them a harsh
lecture. This is not
On 2013-10-31, Chris Bannister cbannis...@slingshot.co.nz wrote:
So you could shoot kids in halloween costumes for illegally being on
your property?
Only if they've been through your underwear (_very_
puritanical country).
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
On 10/31/2013 05:02 PM, John Hasler wrote:
Chris Bannister writes:
So you could shoot kids in halloween costumes for illegally being on
your property?
If you catch them in your bedroom rifling through your underwear,
maybe. There is no state in the union where the mere fact that someone
Doug writes:
In many (most?) states, you are only justified in using deadly force
if you are threatened with bodily harm to yourself or your family.
If you wake up in the middle of the night, see a stranger searching your
dresser, and shoot him, you will almost certainly succeed in convincing
a
On Thursday 31 October 2013 15:33:25 Bob Proulx wrote:
Note that I didn't say that I *would* shoot them dead.
Maybe shoot them just injured ? /Smilet/
Thierry
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
On Mon, Oct 28, 2013 at 03:38:12PM -0600, Bob Proulx wrote:
Reco wrote:
And what about the end result ('user will get root privs')?
They are different users. A remote user could be anyone. A local
user is someone who is already known and has an account on the system
and who has an
On Tue, Oct 29, 2013 at 1:17 AM, Bob Proulx b...@proulx.com wrote:
Tom H wrote:
The standard task installs both nfs-common and rpcbind.
Aha! Apparently the ability to nfs mount in /etc/fstab is the root
cause of the dependency chain that requires nfs-common and therefore
portmapper. At a
On Sun, Oct 27, 2013 at 3:31 AM, Reco recovery...@gmail.com wrote:
On Sat, 26 Oct 2013 21:50:23 +
Tom H tomh0...@gmail.com wrote:
On Fri, Oct 25, 2013 at 9:16 PM, Reco recovery...@gmail.com wrote:
Yes, but pfexec is not sudo. And privilege-aware Solaris shells are
definitely not sudo
On Sun, Oct 27, 2013 at 09:28:51PM -0600, Joe Pfeiffer wrote:
Reco recovery...@gmail.com writes:
True, you need to add to the picture that curious user who just read on
Bugtraq or Full Disclosure about fresh vulnerability in sudo. Or that
disgruntled user who needs /etc/system changed right
On Mon, Oct 28, 2013 at 09:37:02AM -0400, Tom H wrote:
On Sun, Oct 27, 2013 at 3:31 AM, Reco recovery...@gmail.com wrote:
On Sat, 26 Oct 2013 21:50:23 +
Tom H tomh0...@gmail.com wrote:
On Fri, Oct 25, 2013 at 9:16 PM, Reco recovery...@gmail.com wrote:
Yes, but pfexec is not sudo.
On 10/28/2013 03:47 PM, Reco wrote:
On Sun, Oct 27, 2013 at 09:28:51PM -0600, Joe Pfeiffer wrote:
[snip]
You also have to add to the picture such a vulnerability, and I haven't
noticed any.
If we're speaking of public vulnerabilities:
CVE-2010-0427.
CVE-2013-1775 (allows bypass sudoders
On Sun, Oct 27, 2013 at 08:15:43PM -0600, Bob Proulx wrote:
Reco wrote:
Oh. You mean that HP suddenly transformed to good fairies and stopped
charging extra for aCC? Or IBM received an encrypted signal from their
supervisors from Mars and did the same to vacc? And don't even mention
Sun,
On Mon, Oct 28, 2013 at 03:56:32PM +0200, Lars Noodén wrote:
On 10/28/2013 03:47 PM, Reco wrote:
On Sun, Oct 27, 2013 at 09:28:51PM -0600, Joe Pfeiffer wrote:
[snip]
You also have to add to the picture such a vulnerability, and I haven't
noticed any.
If we're speaking of public
Reco recovery...@gmail.com writes:
On Sun, Oct 27, 2013 at 09:28:51PM -0600, Joe Pfeiffer wrote:
Reco recovery...@gmail.com writes:
True, you need to add to the picture that curious user who just read on
Bugtraq or Full Disclosure about fresh vulnerability in sudo. Or that
disgruntled
On Mon, Oct 28, 2013 at 1:51 PM, Reco recovery...@gmail.com wrote:
On Mon, Oct 28, 2013 at 09:37:02AM -0400, Tom H wrote:
On Sun, Oct 27, 2013 at 3:31 AM, Reco recovery...@gmail.com wrote:
On Sat, 26 Oct 2013 21:50:23 +
Tom H tomh0...@gmail.com wrote:
On Fri, Oct 25, 2013 at 9:16 PM, Reco
Reco wrote:
Bob Proulx wrote:
And one must be careful of throwing stones. For example Debian does
not provide a firewall by default. And it is debatable if it needs
one. Many people don't configure one. Many people do. It all
depends upon many things about the use case. I don't put
On Mon, Oct 28, 2013 at 11:45:03AM -0600, Bob Proulx wrote:
Reco wrote:
Bob Proulx wrote:
And one must be careful of throwing stones. For example Debian does
not provide a firewall by default. And it is debatable if it needs
one. Many people don't configure one. Many people do. It
On Mon, Oct 28, 2013 at 10:19:43AM -0600, Joe Pfeiffer wrote:
Reco recovery...@gmail.com writes:
You also have to add to the picture such a vulnerability, and I haven't
noticed any.
If we're speaking of public vulnerabilities:
CVE-2010-0427.
Does not permit users outside of those
Reco wrote:
Bob Proulx wrote:
Is 'rpcbind' installed by default? I will need to look. I wonder why
it would be there?
Part of a NFS client, I guess. Package is not marked as an essential one,
though. Running a diskless client over NFS would be a curious trick
without NFS support
Bob Proulx writes:
I just tried a minimum installation of Debian Wheezy in a VM and
rpcbind was not installed. Are you sure it is installed by default?
Rpcbind is priority standard. It is neither essential nor
required. Thus whether it is installed by default or not depends on
how you define
On Mon, Oct 28, 2013 at 01:14:33PM -0600, Bob Proulx wrote:
Reco wrote:
Bob Proulx wrote:
Is 'rpcbind' installed by default? I will need to look. I wonder why
it would be there?
Part of a NFS client, I guess. Package is not marked as an essential one,
though. Running a diskless
Reco wrote:
And what about the end result ('user will get root privs')?
They are different users. A remote user could be anyone. A local
user is someone who is already known and has an account on the system
and who has an established relationship and trust.
Case 1: I find that someone in my
John Hasler wrote:
Bob Proulx writes:
I just tried a minimum installation of Debian Wheezy in a VM and
rpcbind was not installed. Are you sure it is installed by default?
Rpcbind is priority standard. It is neither essential nor
required. Thus whether it is installed by default or not
On Mon, Oct 28, 2013 at 7:14 PM, Bob Proulx b...@proulx.com wrote:
Reco wrote:
Bob Proulx wrote:
Is 'rpcbind' installed by default? I will need to look. I wonder why
it would be there?
Part of a NFS client, I guess. Package is not marked as an essential one,
though. Running a diskless
Bob Proulx writes:
I don't think rpcbind should be priority standard these days. I
wonder if it would be possible to convince people that it should be
demoted to installed only as a dependency instead. Or if it is needed
to learn why it is still needed.
Standard consists of packages that
John Hasler wrote:
Bob Proulx writes:
I don't think rpcbind should be priority standard these days. I
wonder if it would be possible to convince people that it should be
demoted to installed only as a dependency instead. Or if it is needed
to learn why it is still needed.
Standard
Tom H wrote:
The standard task installs both nfs-common and rpcbind.
Aha! Apparently the ability to nfs mount in /etc/fstab is the root
cause of the dependency chain that requires nfs-common and therefore
portmapper. At a guess.
Bob
signature.asc
Description: Digital signature
Bob Proulx wrote:
John Hasler wrote:
Standard consists of packages that you would be surprised not to find
on a UNIX system.
But the portmapper is very closely associated with Sun RPC. If I have
not installed anything in that family then I would not expect to find
the portmapper
Hi.
On Sat, 26 Oct 2013 21:50:23 +
Tom H tomh0...@gmail.com wrote:
On Fri, Oct 25, 2013 at 9:16 PM, Reco recovery...@gmail.com wrote:
Yes, but pfexec is not sudo. And privilege-aware Solaris shells are
definitely not sudo too.
It might not be sudo but it's the same principle of
Reco wrote:
Bob Proulx wrote:
Most of those systems ship very little by their vendors. I have used
them for many years and almost all of the software that you will use
on those systems will have been compiled and installed by the local
admin. IMNHO they are mainly a good solid base upon
Reco recovery...@gmail.com writes:
Tom H tomh0...@gmail.com wrote:
On Fri, Oct 25, 2013 at 9:16 PM, Reco recovery...@gmail.com wrote:
Considering that primary usage of sudo is to provide controlled
privilege escalation to uid=0, using unsupported (therefore - not
updated unless local
On Fri, Oct 25, 2013 at 9:16 PM, Reco recovery...@gmail.com wrote:
On Fri, 25 Oct 2013 20:28:57 +
Tom H tomh0...@gmail.com wrote:
On Fri, Oct 25, 2013 at 7:41 PM, recovery...@gmail.com wrote:
On Fri, 25 Oct 2013 12:31:55 -0600
Bob Proulx b...@proulx.com wrote:
Sudo has been on
HP-UX,
Hi.
On Fri, 25 Oct 2013 12:31:55 -0600
Bob Proulx b...@proulx.com wrote:
Sudo has been on
HP-UX, SunOS, Solaris, IBM AIX and others for many years. It isn't
anything new. It is a good worthy tool.
This is not entirely correct. Sudo is considered third-party software
in HP-UX (HP merely
This seems to be an unintended initiated thread by me :D.
In the past I was against sudo, but nowadays I set up a root account
(su) and sudo for my Linux and if I use Ubuntu I usually keep it as is,
IOW just sudo, no root account. Security doesn't suffer from sudo, OTOH
ich bin schmerzfrei as we
On Fri, Oct 25, 2013 at 7:41 PM, recovery...@gmail.com wrote:
On Fri, 25 Oct 2013 12:31:55 -0600
Bob Proulx b...@proulx.com wrote:
Sudo has been on
HP-UX, SunOS, Solaris, IBM AIX and others for many years. It isn't
anything new. It is a good worthy tool.
This is not entirely correct.
recovery...@gmail.com wrote:
Bob Proulx wrote:
Sudo has been on HP-UX, SunOS, Solaris, IBM AIX and others for
many years. It isn't anything new. It is a good worthy tool.
This is not entirely correct. Sudo is considered third-party software
in HP-UX (HP merely builds it and doesn't
On Fri, 25 Oct 2013 14:21:37 -0600
Bob Proulx b...@proulx.com wrote:
recovery...@gmail.com wrote:
Bob Proulx wrote:
This is not entirely correct. Sudo is considered third-party software
in HP-UX (HP merely builds it and doesn't install by default), AIX (not
provided by IBM and therefore
On Fri, 25 Oct 2013 20:28:57 +
Tom H tomh0...@gmail.com wrote:
On Fri, Oct 25, 2013 at 7:41 PM, recovery...@gmail.com wrote:
On Fri, 25 Oct 2013 12:31:55 -0600
Bob Proulx b...@proulx.com wrote:
Sudo has been on
HP-UX, SunOS, Solaris, IBM AIX and others for many years. It isn't
On Sat, 2013-10-26 at 01:07 +0400, Reco wrote:
Passwords stored in a plain text files in a recyclebin (or on a sheet
of paper under the keyboard).
Female sysadmins wearing slips of paper on the forehead with
passphrases: http://www.kingmatz.com/Bilder%202007/2009/mk/RIMG0206.JPG
--
To
On Fri, 25 Oct 2013 22:10:35 +0200
Ralf Mardorf ralf.mard...@alice-dsl.net wrote:
In the past I was against sudo, but nowadays I set up a root account
(su) and sudo for my Linux and if I use Ubuntu I usually keep it as is,
IOW just sudo, no root account. Security doesn't suffer from sudo, OTOH
On Sat, 2013-10-26 at 01:34 +0400, Reco wrote:
Please tell that to that Lennart Poeterring guy who invented his own
RealTimeGizmo for his beloved PulseAudio ;)
Ok, now I'm able to resist. I love to be marxbrotherish, but with
respect to the list, I try to fake, that I don't know who this girl
On Fri, 25 Oct 2013 23:17:06 +0200
Ralf Mardorf ralf.mard...@alice-dsl.net wrote:
On Sat, 2013-10-26 at 01:07 +0400, Reco wrote:
Passwords stored in a plain text files in a recyclebin (or on a sheet
of paper under the keyboard).
Female sysadmins wearing slips of paper on the forehead with
55 matches
Mail list logo