Brad, I sent a detailed account of the bug off-list.I filed the bug as "private" given it's sensitive nature. In short, the bug allows users to bypass the command restrictions listed in the configuration file. I submitted this bug to the author over 4 months ago, but there has been no response. This project hasn't had any real updates since 2008, so it's probably safe to consider it abandoned at this point.
I had actually gone with using rootsh and forgotten about this. Sudosh2 was actually suggested to me while in the midst of building a PCI compliant environment, and I suspect there are many other companies using it to maintain compliance. Now that this thread has reminded me I'm going to make a full disclosure release.
On Apr 14, 2010, at 8:53 AM, Brad Hudson wrote:
Hi Ben; We use sudosh here extensively.Can you elaborate on the nature of the bug you reported? I checked thesourceforge page and I only see 3 open bug reports, none of which Iconsider terribly threatening. If you could point me the bug you filedso I can check out the detail and scope I would appreciate it. Thanks, Brad On 04/13/2010 03:09 PM, Benjamin Krueger wrote:DO NOT USE sudosh or sudosh2. Sudosh2 has at least one serious security issue. I reported it lastyear, but it remains unresolved. If you're considering using it, don't. If you're using it now, you should stop. An excellent alternative thatI'm using across my fleet is "rootsh", http://sourceforge.net/projects/rootsh/. On Apr 13, 2010, at 11:52 AM, Robert Hajime Lanning wrote:sudosh was abandoned. The fork is sudosh2. http://sourceforge.net/projects/sudosh2/ seph wrote:sudosh was trying to do this, I don't remember if that's still active.You don't mention which OS you're using, but various ones have processaccounting that could do this. seph Matt Lawrence <[email protected]> writes:Due to some problems caused unintentionally by some users, we need to logcommands that are being run. Right now the other sysadmin has addedsomeneat things to log the previous command ("history | tail -1") before printing a prompt and I was wondering if anyone knows of a good wayto log the commands before they are executed. Or, rather, to be able to grab thecommand and do something when the return key is pressed, the actualloggging part is easy. Suggestions? -- Matt It's not what I know that counts. It's what I can remember in time to use. _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/techThis list provided by the League of Professional System Administratorshttp://lopsa.org/_______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/techThis list provided by the League of Professional System Administratorshttp://lopsa.org/-- END OF LINE --MCP _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/techThis list provided by the League of Professional System Administratorshttp://lopsa.org/Benjamin Krueger [email protected] _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/techThis list provided by the League of Professional System Administratorshttp://lopsa.org/-- Brad Hudson SA Team Lead The Pythian Group - love your data Desk: 613-565-8696 x202 IM: pythianhudson
Benjamin Krueger [email protected]
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
