On Thu, Aug 12, 2021 at 01:19:23PM +, Holger Levsen wrote:
> On Thu, Aug 12, 2021 at 01:12:37AM -0500, Brian Thompson wrote:
> > Would you agree that there is an issue with sudo access that is enabled
> > by default on most Debian and Debian-based distributions? The bug may
> > not be in apt, b
Philipp Kern writes:
> You know that this is a bad idea (granting sudo to apt without a
> wrapper). I know that this is a bad idea. That was my point. Plus that
> this is a very common trope in multi-user settings that you want to hand
> out some privilege to install packages.
Right, but this is
On 2021-08-12 17:56, Marc Haber wrote:
On Thu, 12 Aug 2021 13:44:24 +0200, Philipp Kern
wrote:
On 2021-08-12 12:23, Polyna-Maude Racicot-Summerside wrote:
Now if people start doing stuff they don't master than it's not
privilege escalation but much more something like another
manifestation
o
On Thu, Aug 12, 2021 at 01:19:23PM +, Holger Levsen wrote:
> if those users are not trustworthy than the bug is giving them sudo,
> nothing else. (Debian does not give sudo to users by default. The default
> is to set a root password.)
>
> if you give someone a gun for hunting (animals) and th
On Thu, 12 Aug 2021 13:44:24 +0200, Philipp Kern
wrote:
>On 2021-08-12 12:23, Polyna-Maude Racicot-Summerside wrote:
>> Now if people start doing stuff they don't master than it's not
>> privilege escalation but much more something like another manifestation
>> of human stupidity. And this, there
On Thu, Aug 12, 2021 at 01:12:37AM -0500, Brian Thompson wrote:
> Would you agree that there is an issue with sudo access that is enabled
> by default on most Debian and Debian-based distributions? The bug may
> not be in apt, but it definitely lives somewhere.
if those users are not trustworthy t
> The focus of the article is "sudo access *only* to apt". When we talk
> about unrestricted sudo access it doesn't even make sense to talk about
> privilege escalation because unrestricted sudo is by design a privilege
> escalation.
Similarly, sudo access *only* to bash enables execution of loads
On Thu, Aug 12, 2021 at 08:35:42AM -0400, Kyle Edwards wrote:
> > > > I just ran across this article
> > > > https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I tested
> > > > the attacks on Debian 11 and they work successfully giving me a root
> > > > shell prompt.
> > > I don't think
On 8/12/21 2:32 AM, Vincent Bernat wrote:
❦ 12 August 2021 10:39 +05, Andrey Rahmatullin:
I just ran across this article
https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I tested
the attacks on Debian 11 and they work successfully giving me a root
shell prompt.
I don't think cal
On Thu, Aug 12, 2021 at 08:32:14AM +0200, Vincent Bernat wrote:
> ❦ 12 August 2021 10:39 +05, Andrey Rahmatullin:
> >> I just ran across this article
> >> https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I tested
> >> the attacks on Debian 11 and they work successfully giving me a roo
On 2021-08-12 12:23, Polyna-Maude Racicot-Summerside wrote:
Now if people start doing stuff they don't master than it's not
privilege escalation but much more something like another manifestation
of human stupidity. And this, there won't be a number of article
sufficient to make people change.
[
Hi,
On 2021-08-12 2:25 a.m., Brian Thompson wrote:
> On Thu, 2021-08-12 at 11:19 +0500, Andrey Rahmatullin wrote:
>> On Thu, Aug 12, 2021 at 01:12:37AM -0500, Brian Thompson wrote:
>>> Would you agree that there is an issue with sudo access that is
>>> enabled
>>> by default on most Debian and Deb
On 2021-08-12 08:32, Vincent Bernat wrote:
❦ 12 August 2021 10:39 +05, Andrey Rahmatullin:
I just ran across this article
https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I
tested
the attacks on Debian 11 and they work successfully giving me a root
shell prompt.
I don't think cal
❦ 12 August 2021 10:31 +02, Ansgar:
>> I give myself password less sudo to "apt update" (without additional
>> options), "apt upgrade" (same), "apt full-upgrade" (same). I was
>> thinking this should be safe, but now I need to check if the pager is
>> properly restricted when displaying NEWS file
On Thu, 2021-08-12 at 08:32 +0200, Vincent Bernat wrote:
> I give myself password less sudo to "apt update" (without additional
> options), "apt upgrade" (same), "apt full-upgrade" (same). I was
> thinking this should be safe, but now I need to check if the pager is
> properly restricted when displ
❦ 12 August 2021 11:38 +05, Andrey Rahmatullin:
>> >> I just ran across this article
>> >> https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I tested
>> >> the attacks on Debian 11 and they work successfully giving me a root
>> >> shell prompt.
>> > I don't think calling this "privile
On Thu, Aug 12, 2021 at 01:25:06AM -0500, Brian Thompson wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On Thu, 2021-08-12 at 11:19 +0500, Andrey Rahmatullin wrote:
> > On Thu, Aug 12, 2021 at 01:12:37AM -0500, Brian Thompson wrote:
> > > Would you agree that there is an issue with
On Thu, Aug 12, 2021 at 08:32:14AM +0200, Vincent Bernat wrote:
> >> I just ran across this article
> >> https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I tested
> >> the attacks on Debian 11 and they work successfully giving me a root
> >> shell prompt.
> > I don't think calling this
❦ 12 August 2021 10:39 +05, Andrey Rahmatullin:
>> I just ran across this article
>> https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I tested
>> the attacks on Debian 11 and they work successfully giving me a root
>> shell prompt.
> I don't think calling this "privilege escalation"
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Thu, 2021-08-12 at 11:19 +0500, Andrey Rahmatullin wrote:
> On Thu, Aug 12, 2021 at 01:12:37AM -0500, Brian Thompson wrote:
> > Would you agree that there is an issue with sudo access that is
> > enabled
> > by default on most Debian and Debian-ba
On Thu, Aug 12, 2021 at 01:17:03AM -0500, Brian Thompson wrote:
> > > Thank you for bringing this to everyone's attention. This are very
> > > real
> > > vulnerabilities.
> > How are they vulnerabilities?
> They are vulnerabilities because the user is susceptible to this kind of
> attack by defaul
On Thu, Aug 12, 2021 at 01:12:37AM -0500, Brian Thompson wrote:
> Would you agree that there is an issue with sudo access that is enabled
> by default on most Debian and Debian-based distributions? The bug may
> not be in apt, but it definitely lives somewhere.
Do you think "sudo access" itself is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Thu, 2021-08-12 at 10:44 +0500, Andrey Rahmatullin wrote:
> On Wed, Aug 11, 2021 at 10:55:44PM -0500, Brian Thompson wrote:
> > Thank you for bringing this to everyone's attention. This are very
> > real
> > vulnerabilities.
> How are they vulner
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Thu, 2021-08-12 at 07:38 +0200, Niels Thykier wrote:
> Timothy M Butterworth:
> > All,
> >
> > I just ran across this article
> > https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I
> > tested
> > the attacks on Debian 11 and they wor
On Wed, Aug 11, 2021 at 10:55:44PM -0500, Brian Thompson wrote:
> Thank you for bringing this to everyone's attention. This are very real
> vulnerabilities.
How are they vulnerabilities?
> NPM has similar issues with stopping malicious packages from being
> published to the FTP server.
That's no
On Wed, Aug 11, 2021 at 11:30:27PM -0400, Timothy M Butterworth wrote:
> I just ran across this article
> https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I tested
> the attacks on Debian 11 and they work successfully giving me a root
> shell prompt.
I don't think calling this "privile
Timothy M Butterworth:
> All,
>
> I just ran across this article
> https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I tested
> the attacks on Debian 11 and they work successfully giving me a root
> shell prompt.
>
> Tim
>
Hi Tim,
All of the attacks presented assumes that the local
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Wed, 2021-08-11 at 23:30 -0400, Timothy M Butterworth wrote:
> All,
>
> I just ran across this article
> https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I tested
> the attacks on Debian 11 and they work successfully giving me a root
28 matches
Mail list logo
