Your message dated Mon, 6 Oct 2008 14:42:04 +0200 (CEST)
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#501303: sudo with mc provides root privileges to users
has caused the Debian Bug report #501303,
regarding sudo with mc provides root privileges to users
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
501303: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=501303
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: mc
Version: 1:4.6.1-6
Severity: critical
Tags: security
Justification: root security hole
Hello,
When a user appearing in the sudoers file use the following command :
$sudo mc
Midnight Commander starts within a root shell.
Look at the bottom left of the mc screen : [EMAIL PROTECTED]:~#
Also, 'whoami' reports 'root'.
Then the user as full access to the filesystem has the root user.
It occurs even if the sudoers file do not allow access to the /usr/bin/su
command to the user.
I don't know if it is a feature, but it looks strange to me. I think that
system administrators using sudo functionnalities should be aware of this
behaviour.
PS : This behaviour occurs also with Ubuntu 8.04 (Hardy), on a standard desktop
installation.
Thanks.
Regards,
---
Mathieu RV
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Versions of packages mc depends on:
ii libc6 2.3.6.ds1-13etch7 GNU C Library: Shared libraries
ii libglib2.0-0 2.12.4-2 The GLib library of C routines
ii libgpmg1 1.19.6-25 General Purpose Mouse - shared lib
ii libslang2 2.0.6-4 The S-Lang programming library - r
mc recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Hi,
On Mon, October 6, 2008 14:25, Mathieu RV wrote:
> When a user appearing in the sudoers file use the following command :
> $sudo mc
>
>
> Midnight Commander starts within a root shell.
If you allow "sudo bash" that also gives you a root shell, just as "sudo
vim" when you use vim's shell escaping. The admin should be aware that
when he allows a command to be ran as root, everything that command can do
can be done as root. As it happens, mc is a complete environment which
allows amongst others to execute commands.
I see no bug here - I'm closing this as it's a fundamental feature of how
UNIX-like systems work.
Thijs
--- End Message ---
