[sudo-users] Rating a Security alert - problem with negated entries.
Todd C. Miller
Todd.Miller at courtesan.com
Thu May 6 10:38:05 EDT 2010
In message <4BE1E046.8010907 at stny.rr.com>
so spake (highc):
> I will say I wasn't aware of the part where the 'double' negation was
> needed to trigger the bug; however, I suspect that since most of the
> files our SA's create have some ! applied against ALL entries, that
> might be enough to trigger it and I simply never noticed.
The double negation is not in the sudoers file itself, the code was
basically applying the '!' twice in this case which is why the
command was allowed.
More information about the sudo-users