Re: Red Hat 9: free tickets
From: Stephen Samuel (samuel_at_bcgreen.com)
Date: 07/11/03
- Previous message: NetNinja: "Named pipe paper"
- Maybe in reply to: Michal Zalewski: "Red Hat 9: free tickets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Jul 2003 11:30:12 -0700 To: Jon Hart <warchild@spoofed.org>
Jon Hart wrote:
> On Sun, Jul 06, 2003 at 12:30:34PM -0700, Stephen Samuel wrote:
>>Proof of concept:
>>
>>as youreslf:
>>ln -s /var/run/sudo/$USER/unknown:root /tmp/oops
>>
>>as root:
>>touch /tmp/oops
> Actually, I'm not sure this entirely true. Well, it is, but there is
> another important condition that must be met for this (or similar)
> attacks to work properly -- /var/run/sudo/$USER/ must exist. This means
> that the user must have previously sudo'd at lease once and
> /var/run/sudo/$USER/ will have been created.
Yep. that sounds accurate, but it just raised another point for me
(not quite blazingly obvious, but an issue to remember, nontheless):
If, as an administrator, you use the GUI password thing to acces
an admin function, you have to remember to (must be done as root)(
remove the /var/run/sudo/$USER/* files -- or else the user has
(essentially) full root prives until the file expires.
I think that redhat should allow some way (and I really think
it should be the default state) for people to indicate that
they do *NOT* want the system to remember that authorization.
-- Stephen Samuel +1(604)876-0426 samuel@bcgreen.com http://www.bcgreen.com/~samuel/ Powerful committed communication. Transformation touching the jewel within each person and bring it to life.
- Previous message: NetNinja: "Named pipe paper"
- Maybe in reply to: Michal Zalewski: "Red Hat 9: free tickets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
