From owner-freebsd-security Thu Sep 7 9:16:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (Postfix) with ESMTP id 7806437B423 for ; Thu, 7 Sep 2000 09:16:06 -0700 (PDT) Received: (from smap@localhost) by whistle.com (8.10.0/8.10.0) id e87GG6320742 for ; Thu, 7 Sep 2000 09:16:06 -0700 (PDT) Received: from pau-amma.whistle.com( 207.76.205.64) by whistle.com via smap (V2.0) id xma020740; Thu, 7 Sep 2000 09:15:50 -0700 Received: (from dhw@localhost) by pau-amma.whistle.com (8.9.3/8.9.3) id JAA06923 for security@FreeBSD.ORG; Thu, 7 Sep 2000 09:15:50 -0700 (PDT) (envelope-from dhw) Date: Thu, 7 Sep 2000 09:15:50 -0700 (PDT) From: David Wolfskill Message-Id: <200009071615.JAA06923@pau-amma.whistle.com> Subject: Re: UNIX locale format string vulnerability (fwd) Cc: security@FreeBSD.ORG In-Reply-To: <00090717035304.31820@foo.akitanet.co.uk> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >From: Paul Robinson >To: "Vladimir Mencl, MK, susSED" , >Date: Thu, 7 Sep 2000 17:01:54 +0100 >Although a valid point, I'm amazed that on 99.95% of machines with sudo >installed I can walk upto it and type: >sudo su - >And get root shell straight away.sudo /bin/sh is always a good one as well. I >think the education needs to start at the basic level first,because I've yet to >see anybody setup sudo correctly the first time around. With respect, what you observe may well be "correctly" for some of the installations in question. "What is correct" is a highly context- sensitive matter, and trying to apply the criteria for one set of circumstances to an installation that is in a different set of circumstances is not always useful. This is not to say that folks do not make mistakes; we're all human. But in practice, there are trade-offs made in implementing security. Cheers, david -- David Wolfskill dhw@whistle.com UNIX System Administrator Desk: 650/577-7158 TIE: 8/499-7158 Cell: 650/759-0823 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message