Benjamin; Thanks for the update. I'll wait for the email and see if it affects me.
Given your brief summary I think the impact to us would be small. We have checks and balances in place already to prevent access by unauthorized users, and the only thing sudosh is used for is to get sudo based shell access as a different user (ie: oracle, root) which will still provide logging of the escalation if some details are left out. In our case you could not even run sudosh unless you first had access to the server and logged in as yourself. Sudosh is a useful tool but is by no means a one stop shop for security, it should be just one of the eggs in your basket. Regards; Brad On 04/14/2010 12:34 PM, Benjamin Krueger wrote: > Brad, I sent a detailed account of the bug off-list. > > I filed the bug as "private" given it's sensitive nature. In short, the > bug allows users to bypass the command restrictions listed in the > configuration file. I submitted this bug to the author over 4 months > ago, but there has been no response. This project hasn't had any real > updates since 2008, so it's probably safe to consider it abandoned at > this point. > > I had actually gone with using rootsh and forgotten about this. Sudosh2 > was actually suggested to me while in the midst of building a PCI > compliant environment, and I suspect there are many other companies > using it to maintain compliance. Now that this thread has reminded me > I'm going to make a full disclosure release. > > On Apr 14, 2010, at 8:53 AM, Brad Hudson wrote: > >> Hi Ben; >> >> We use sudosh here extensively. >> >> Can you elaborate on the nature of the bug you reported? I checked the >> sourceforge page and I only see 3 open bug reports, none of which I >> consider terribly threatening. If you could point me the bug you filed >> so I can check out the detail and scope I would appreciate it. >> >> Thanks, >> >> Brad >> >> On 04/13/2010 03:09 PM, Benjamin Krueger wrote: >>> DO NOT USE sudosh or sudosh2. >>> >>> Sudosh2 has at least one serious security issue. I reported it last >>> year, but it remains unresolved. If you're considering using it, don't. >>> If you're using it now, you should stop. An excellent alternative that >>> I'm using across my fleet is "rootsh", >>> http://sourceforge.net/projects/rootsh/. >>> >>> On Apr 13, 2010, at 11:52 AM, Robert Hajime Lanning wrote: >>> >>>> sudosh was abandoned. >>>> >>>> The fork is sudosh2. >>>> http://sourceforge.net/projects/sudosh2/ >>>> >>>> seph wrote: >>>>> sudosh was trying to do this, I don't remember if that's still active. >>>>> >>>>> You don't mention which OS you're using, but various ones have process >>>>> accounting that could do this. >>>>> >>>>> seph >>>>> >>>>> Matt Lawrence <[email protected]> writes: >>>>> >>>>>> Due to some problems caused unintentionally by some users, we need >>>>>> to log >>>>>> commands that are being run. Right now the other sysadmin has added >>>>>> some >>>>>> neat things to log the previous command ("history | tail -1") before >>>>>> printing a prompt and I was wondering if anyone knows of a good way >>>>>> to log >>>>>> the commands before they are executed. Or, rather, to be able to >>>>>> grab the >>>>>> command and do something when the return key is pressed, the actual >>>>>> loggging part is easy. >>>>>> >>>>>> Suggestions? >>>>>> >>>>>> -- Matt >>>>>> It's not what I know that counts. >>>>>> It's what I can remember in time to use. >>>>>> _______________________________________________ >>>>>> Tech mailing list >>>>>> [email protected] >>>>>> http://lopsa.org/cgi-bin/mailman/listinfo/tech >>>>>> This list provided by the League of Professional System >>>>>> Administrators >>>>>> http://lopsa.org/ >>>>> _______________________________________________ >>>>> Tech mailing list >>>>> [email protected] >>>>> http://lopsa.org/cgi-bin/mailman/listinfo/tech >>>>> This list provided by the League of Professional System Administrators >>>>> http://lopsa.org/ >>>> >>>> >>>> -- >>>> END OF LINE >>>> --MCP >>>> _______________________________________________ >>>> Tech mailing list >>>> [email protected] >>>> http://lopsa.org/cgi-bin/mailman/listinfo/tech >>>> This list provided by the League of Professional System Administrators >>>> http://lopsa.org/ >>> >>> Benjamin Krueger >>> [email protected] >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Tech mailing list >>> [email protected] >>> http://lopsa.org/cgi-bin/mailman/listinfo/tech >>> This list provided by the League of Professional System Administrators >>> http://lopsa.org/ >> >> >> >> -- >> Brad Hudson >> SA Team Lead >> The Pythian Group - love your data >> Desk: 613-565-8696 x202 >> IM: pythianhudson > > Benjamin Krueger > [email protected] > > > -- Brad Hudson SA Team Lead The Pythian Group - love your data Desk: 613-565-8696 x202 IM: pythianhudson _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
