On 20/04/2010 8.42, Ansgar Wiechers wrote: > Perhaps I'm missing something, but how is this a security flaw? A user > who is allowed to run "sudoedit" can edit /etc/sudoers, and thus allow > himself to run any command anyway. > > Regards > Ansgar Wiechers In the configuration file (sudoers) you can specify the file that the user is allowed to edit (http://www.gratisoft.us/sudo/man/sudoers.html). The bug allow you to bypass these controls and gain root privileges. Best regards, Maurizio -- Maurizio Agazzini CISSP, OPST Senior Security Advisor Team Manager @ Mediaservice.net Srl Tel: +39-011-32.72.100 Via San Bernardino, 17 Fax: +39-011-32.46.497 10141 Torino - ITALY http://mediaservice.net/
