|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Mark Senior (senatorfrog
gmail.com)
Date: Thu Jun 07 2007 - 14:55:52 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 6/7/07, James Downs wrote:
>
> On Jun 6, 2007, at 6:57 PM, Thor Lancelot Simon wrote:
>
> > The 'sudo' package can be built to use Kerberos 5 for authentication
> > of users. When a user is properly authenticated to sudo, sudo grants
>
> It should be noted that Kerberos is not an authorization system. All
> this case does is allow a user, who can already log into your system,
> and already can use sudo, to bypass their real password. If the user
> can't do things as root, correct or incorrect password isn't buying
> them much.
>
> This IS a bug in handling kerberos authentication, but if the user
> can log into the system, the user can use any version of sudo, and if
> they're authorized, they already know their password, and can do
> things as root.
In Suse Linux 10, the default /etc/sudoers has
...
Defaults targetpw # ask for the password of the target user i.e. root
ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
...
In other words, in the SuSE default config, sudo is just an
overcomplicated su - to sudo something as root, you need not your own
password, but root's - except you don't have to be in wheel to use it.
If sudo is configured as above, and uses kerberos, then all users
might be able to exploit this.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]