[sudo-users] Rating a Security alert - problem with negated entries.
highc at stny.rr.com
highc at stny.rr.com
Tue May 4 17:44:16 EDT 2010
Sudo team;
Please advise if I should post this concern to a different thread.
The company I work for takes the security alerts listed at
http://www.sudo.ws/sudo/security.html
very seriously, which is good. The unfortunate side effect is that any
bug fix which is not listed there is deemed to be 'functional' only.
The bug:
2009-11-23 10:56 millert
* match.c: cmnd_matches() already deals with negation so
_cmndlist_matches() does not need to do so itself. Fixes a bug
with negated entries in a Cmnd_List.
which I believe was fixed in 1.7.2p2,
is causing some potential security breaches in my environment, and I'm
having a hard time getting the 'right' sort of attention. Would it be
possible to have this item listed on the above web page as a security
alert?
In general, we find folks can do some fairly 'awesome' things which the
system adminstrators had previously locked down with some '!'ed sudoers
entries.
Thanks for your consideration.
Chris
--
Support anti-Spam legislation.
Join the fight http://www.cauce.org/
More information about the sudo-users
mailing list