From owner-freebsd-security  Thu Sep  7  2:34:30 2000
Delivered-To: freebsd-security@freebsd.org
Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194])
	by hub.freebsd.org (Postfix) with ESMTP id 799CB37B422
	for <freebsd-security@freebsd.org>; Thu,  7 Sep 2000 02:34:25 -0700 (PDT)
Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1)
	id 13Wy4a-000A0s-00; Thu, 07 Sep 2000 11:34:20 +0200
Date: Thu, 7 Sep 2000 11:34:20 +0200
From: Neil Blakey-Milner <nbm@mithrandr.moria.org>
To: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: UNIX locale format string vulnerability (fwd)
Message-ID: <20000907113419.A38101@mithrandr.moria.org>
References: <20000907104925.A37872@mithrandr.moria.org> <Pine.GSO.4.10.10009071052480.11627-100000@nenya.ms.mff.cuni.cz>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
In-Reply-To: <Pine.GSO.4.10.10009071052480.11627-100000@nenya.ms.mff.cuni.cz>; from mencl@nenya.ms.mff.cuni.cz on Thu, Sep 07, 2000 at 10:56:59AM +0200
Organization: Sunesi Clinical Systems
X-Operating-System: FreeBSD 3.3-RELEASE i386
X-URL: http://rucus.ru.ac.za/~nbm/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu 2000-09-07 (10:56), Vladimir Mencl, MK, susSED wrote:
> > Why would someone install the sudo RedHat package on FreeBSD?
> 
> sudo is a FreeBSD port, and is distributed in the set of precompiled
> packages, for quite a long time, and is of course included in the package
> set of the 4.1 release - sudo-1.6.3.4.tgz
> 
> And sudo is a nice tool for delegating certain priviliges to users,
> that's why I installed it. It's surely more secure, than telling
> everybody the root password - although you have to be careful not to
> create a security hole.

I understand sudo is a FreeBSD package.  However, it's insecurity has
nothing to do with the glibc locale bug, so it should be investigated in
its own context.

I imagine bringing it to the attention of the sudo developers would be a
good idea.  I'd be surprised if they didn't fix it once aware of it.

(I don't use sudo.  Custom setuid scripts with rcs-aware editors running
as user are usually much better.)

Neil
-- 
Neil Blakey-Milner
Sunesi Clinical Systems
nbm@mithrandr.moria.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message