From owner-freebsd-stable Sat Dec 23 10:58:45 2000 From owner-freebsd-stable@FreeBSD.ORG Sat Dec 23 10:58:43 2000 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mail2.uniserve.com (mail2.uniserve.com [204.244.156.10]) by hub.freebsd.org (Postfix) with ESMTP id A805837B400 for ; Sat, 23 Dec 2000 10:58:42 -0800 (PST) Received: from shell.uniserve.ca ([204.244.186.218]) by mail2.uniserve.com with esmtp (Exim 3.13 #1) id 149tsN-0001RZ-00; Sat, 23 Dec 2000 10:58:39 -0800 Date: Sat, 23 Dec 2000 10:58:37 -0800 (PST) From: Tom X-Sender: tom@shell.uniserve.ca To: "David J. Kanter" Cc: FreeBSD stable Subject: Re: Security problem with "script"? In-Reply-To: <20001007031416.A1389@freebsd.mindspring.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 7 Oct 2000, David J. Kanter wrote: > I don't know if this is an issue or not, but using the script program with > sudo seems to switch the sudoer's id to root. > > Here's an example: > > david@/usr/src % whoami > david > david@/usr/src % sudo script /usr/tmp/buildworld > Script started, output file is /usr/tmp/buildworld > root@/usr/src % whoami > root > root@/usr/src % I don't know why mail from October is resurfacing. But this is not a security problem. Configuring sudo to allow users to start a shell, or start something that starts a shell is silly. Tom Uniserve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message