Sud’oh!

by Nick on Apr.16, 2010, under Administration, News, Security

“Sudo’s command matching routine expects actual commands to include one or more slash (‘/’) characters. The flaw is that sudo’s path resolution code did not add a “./” prefix to commands found in the current working directory. This creates an ambiguity between a “sudoedit” command found in the cwd and the “sudoedit” pseudo-command in the sudoers file. As a result, a user may be able to run an arbitrary command named “sudoedit” in the current working directory. For the attack to be successful, the PATH environment variable must include “.” and may not include any other directory that contains a “sudoedit” command.”
(From http://portaudit.FreeBSD.org/1a9f678d-48ca-11df-85f8-000c29a67389.html)

I actually read about this on Full Disclosure. This is very similar to an earlier exploit. Sudo is a great tool, but you always have to be *very* careful who you give sudo access to.

Posts Related to Sud'oh!

sudo -u
Sometimes, especially on X.X upgrades, WordPress Automatic Update does not work. Oh, it claims to work. But it doesn't. So you have to upgrade manually. ...
Ubuntu Apache2 Auto Config BASH script
Man, I've been busy... I've recently been promoted to being a System's Administrator! This has forced me to program a few BASH scripts. This one ...
What happens when I program “On the Fly”
So I needed a quick script to query a billing database for DSL users. The user names, of course where horribly inconsistent. I had to ...
SpamAssassin
Spam is the bane of all email servers and services. As I wrote in my email entry, I use Maia, which is a frontend to ...
IPv6
So... It's been awhile. Recently, I've decided to make sure that all of my servers were IPv6 addressable. This was made infinitely easier by working ...

RSS feed for this post (comments)TrackBack URI

Time Devourer
Welcome to my blog. I'm sure it's just like any other blog except for one important difference, it's mine.
You can also subscribe by email by filling the field below:
Static Pages of the Damned
Are you using IPv6?
http://ipv6.chronophage.net
Asteroids!
Feel free to participate in the editioral process of this blog.
WSAD or Arrow keys to fly.
Spacebar to shoot!
By Eric and Erik
Tagalicious
6to4 advocacy anti-spam anti-virus apache bash comics DNS dovecot E-Mail Education Funny Hardware ipv6 joke linux mail Networking php pop-imap postfix Programming Quotes Security shell Software teredo ugly Uncategorized UNIX UNIX 101 virtulization VMware web webmail
Subscribe to blog.chronophage.net via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

What I’m doing…
- RT @NewsCut: Hmmmm. A 9-7 team won the Super Bowl? It's almost as if the Patriots are deeply flawed and overrated. 13 hours ago
- Apparently Josephine looks like me in this picture. http://t.co/rIb98Kbb 2 days ago
- Here, There Be Storage Related Dragons...: http://t.co/HZZVHvCZ 2 days ago
- RT @KenJennings: The new job numbers look so good for Obama that Romney might just have to go fire 10,000 more people. 2 days ago
- All one server, 98% Idle CPU. Behold the power of caching! I may have overbuilt my personal web cluster a bit ;) http://t.co/3y7auH8r 3 days ago
Google Stats

3
Unique
Visitors
Powered By

On Jabber?

Chronophage.net Blog

Sud’oh!

Posts Related to Sud'oh!

sudo -u

Ubuntu Apache2 Auto Config BASH script

What happens when I program “On the Fly”

SpamAssassin

IPv6

Leave a Reply

Time Devourer

Static Pages of the Damned

Are you using IPv6?

Asteroids!

Subscribe to blog.chronophage.net via Email

What I’m doing…

Google Stats

On Jabber?

Looking for something?

Blogroll

Archives

Posts Related to Sud'oh!

Leave a Reply

Time Devourer

Static Pages of the Damned

Are you using IPv6?

Asteroids!

Tagalicious

Subscribe to blog.chronophage.net via Email

Google Stats

On Jabber?

Looking for something?

Blogroll

Archives