Is my implementation/understanding of SUDO flawed?
Todd C. Miller
Todd.Miller at courtesan.com
Sun Feb 24 16:38:02 EST 2002
In message <000701c1bd6d$5dfc8640$737c7ad5 at oemcomputer>
so spake "ian Laing" (ian.laing):
> 1) The start/stop scripts don't sanitise the PATH, so if an operator starts
> with a PATH containing
> their personal home directory *first* then that is the PATH the scripts use.
> They can therefore subvert commands like echo with their own version and
> Unix will run that.
> Their own echo command can then simply contain a ksh to give them a root
> shell.
You can use the --with-secure-path configure option to hard-code a path.
- todd
More information about the sudo-users
mailing list