Date: Sat, 27 Jun 1998 14:27:56 -0600
From: "Todd C. Miller" <Todd.Miller@COURTESAN.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Bug is sudo?
Of course, this only works if you exist in the sudoers file, which
makes it pretty benign. I agree that sudo should ask for a password
and this is fixed in sudo 1.5.4p1, available now from:
ftp://ftp.cs.colorado.edu/pub/sudo/cu-sudo.v1.5.4p1.tar.Z
It is still possible for a user in sudoers to probe for binaries
but it's not really possible to disable that without making it
impossible for a sudo user to know *which* version of a command
was disallowed (for instance, sudoers may specify the system "ls"
and the user may have the GNU version first in their path).
- todd
