Reco writes:
> Hi.
>
> On Sat, 2 Nov 2013 11:46:48 -0500
> "Cybe R. Wizard" wrote:
>> > How about this bug:
>> >
>> > http://www.sudo.ws/sudo/alerts/sudo_debug.html
>> >
>> > Impact: Successful exploitation of the bug will allow a user to run
>> > arbitrary commands as root.
>> >
>> > Exp
Curt writes:
> On 2013-11-02, Joe Pfeiffer wrote:
Again -- isn't "basically equivalent to giving everyone uid=0." Permits
someone who *has* sudo access to avoid retyping a password.
>>>
>>> Not only that. Permits someone who already has sudo access to continue
>>> having such ac
On Thu, Oct 31, 2013 at 09:35:16PM +, Curt wrote:
> On 2013-10-31, Chris Bannister wrote:
> >
> > So you could shoot kids in halloween costumes for illegally being on
> > your property?
>
> Only if they've been through your underwear (_very_
> puritanical country).
If it was Halloween, it wo
Hi.
On Sat, 2 Nov 2013 11:46:48 -0500
"Cybe R. Wizard" wrote:
> > How about this bug:
> >
> > http://www.sudo.ws/sudo/alerts/sudo_debug.html
> >
> > Impact: Successful exploitation of the bug will allow a user to run
> > arbitrary commands as root.
> >
> > Exploitation of the bug does not
On 2013-11-02, Cybe R. Wizard wrote:
>> http://www.sudo.ws/sudo/alerts/sudo_debug.html
>>
>> Impact: Successful exploitation of the bug will allow a user to run
>> arbitrary commands as root.
>>
>> Exploitation of the bug does not require that the attacker be listed
>> in the sudoers file. As
On Sat, 2 Nov 2013 15:34:13 + (UTC)
Curt wrote:
> On 2013-11-02, Joe Pfeiffer wrote:
> >>>
> >>> Again -- isn't "basically equivalent to giving everyone uid=0."
> >>> Permits someone who *has* sudo access to avoid retyping a
> >>> password.
> >>
> >> Not only that. Permits someone who alrea
On 2013-11-02, Joe Pfeiffer wrote:
>>>
>>> Again -- isn't "basically equivalent to giving everyone uid=0." Permits
>>> someone who *has* sudo access to avoid retyping a password.
>>
>> Not only that. Permits someone who already has sudo access to continue
>> having such access indefinitely, igno
Reco writes:
> On Mon, Oct 28, 2013 at 10:19:43AM -0600, Joe Pfeiffer wrote:
>> Reco writes:
>> >> You also have to add to the picture such a vulnerability, and I haven't
>> >> noticed any.
>> >
>> > If we're speaking of public vulnerabilities:
>> >
>> > CVE-2010-0427.
>>
>> Does not permit use
On Thu, Oct 31, 2013 at 4:33 PM, Bob Proulx wrote:
> What would any of us do if confronted by a burgler
> in the middle of the night while we were home and woken up from a
> sound sleep? Ceratinly a terrifying situation. Calm thinking does
> not happen at such times.
>
Agreed. Even the Bible
On 2013-10-31, Thierry Chatelet wrote:
> On Thursday 31 October 2013 15:33:25 Bob Proulx wrote:
>> Note that I didn't say that I *would* shoot them dead.
>
> Maybe shoot them just injured ? /Smilet/
> Thierry
>
Right, he would've just blown their kneecaps out so they couldn't run
away while he h
On Thursday 31 October 2013 15:33:25 Bob Proulx wrote:
> Note that I didn't say that I *would* shoot them dead.
Maybe shoot them just injured ? /Smilet/
Thierry
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.d
Doug writes:
> In many (most?) states, you are only justified in using deadly force
> if you are threatened with bodily harm to yourself or your family.
If you wake up in the middle of the night, see a stranger searching your
dresser, and shoot him, you will almost certainly succeed in convincing
On 10/31/2013 05:02 PM, John Hasler wrote:
> Chris Bannister writes:
>> So you could shoot kids in halloween costumes for illegally being on
>> your property?
>
> If you catch them in your bedroom rifling through your underwear,
> maybe. There is no state in the union where the mere fact that som
On 2013-10-31, Chris Bannister wrote:
>
> So you could shoot kids in halloween costumes for illegally being on
> your property?
Only if they've been through your underwear (_very_
puritanical country).
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubsc
Neal Murphy wrote:
> Chris Bannister wrote:
> > Bob Proulx wrote:
> > > Case 1: I find that someone in my family who lives in my house has
> > > rumaged through my underwear drawer. A violation of trust has
> > > occurred. I am unhappy and will talk with them and give them a harsh
> > > lecture.
Chris Bannister writes:
> So you could shoot kids in halloween costumes for illegally being on
> your property?
If you catch them in your bedroom rifling through your underwear,
maybe. There is no state in the union where the mere fact that someone
was trespassing is a valid murder defense.
--
J
On Thursday, October 31, 2013 02:22:40 PM Chris Bannister wrote:
> On Mon, Oct 28, 2013 at 03:38:12PM -0600, Bob Proulx wrote:
> > Case 1: I find that someone in my family who lives in my house has
> > rumaged through my underwear drawer. A violation of trust has
> > occurred. I am unhappy and wi
On Mon, Oct 28, 2013 at 03:38:12PM -0600, Bob Proulx wrote:
> Case 1: I find that someone in my family who lives in my house has
> rumaged through my underwear drawer. A violation of trust has
> occurred. I am unhappy and will talk with them and give them a harsh
> lecture. This is not appropria
On Tue, Oct 29, 2013 at 1:17 AM, Bob Proulx wrote:
> Tom H wrote:
>>
>> The "standard" task installs both nfs-common and rpcbind.
>
> Aha! Apparently the ability to nfs mount in /etc/fstab is the root
> cause of the dependency chain that requires nfs-common and therefore
> portmapper. At a guess
On Mon, Oct 28, 2013 at 03:38:12PM -0600, Bob Proulx wrote:
> Reco wrote:
> > And what about the end result ('user will get root privs')?
>
> They are different users. A remote user could be anyone. A local
> user is someone who is already known and has an account on the system
> and who has an
Tom H wrote:
> The "standard" task installs both nfs-common and rpcbind.
Aha! Apparently the ability to nfs mount in /etc/fstab is the root
cause of the dependency chain that requires nfs-common and therefore
portmapper. At a guess.
Bob
signature.asc
Description: Digital signature
Bob Proulx writes:
> I don't think rpcbind should be priority standard these days. I
> wonder if it would be possible to convince people that it should be
> demoted to installed only as a dependency instead. Or if it is needed
> to learn why it is still needed.
Standard consists of packages that
On Mon, Oct 28, 2013 at 7:14 PM, Bob Proulx wrote:
> Reco wrote:
>> Bob Proulx wrote:
>>>
>>> Is 'rpcbind' installed by default? I will need to look. I wonder why
>>> it would be there?
>>
>> Part of a NFS client, I guess. Package is not marked as an essential one,
>> though. Running a diskless
John Hasler wrote:
> Bob Proulx writes:
> > I just tried a minimum installation of Debian Wheezy in a VM and
> > rpcbind was not installed. Are you sure it is installed by default?
>
> Rpcbind is priority standard. It is neither "essential" nor
> "required". Thus whether it is installed by defa
Reco wrote:
> And what about the end result ('user will get root privs')?
They are different users. A remote user could be anyone. A local
user is someone who is already known and has an account on the system
and who has an established relationship and trust.
Case 1: I find that someone in my f
On Mon, Oct 28, 2013 at 01:14:33PM -0600, Bob Proulx wrote:
> Reco wrote:
> > Bob Proulx wrote:
> > > Is 'rpcbind' installed by default? I will need to look. I wonder why
> > > it would be there?
> >
> > Part of a NFS client, I guess. Package is not marked as an essential one,
> > though. Runnin
Bob Proulx writes:
> I just tried a minimum installation of Debian Wheezy in a VM and
> rpcbind was not installed. Are you sure it is installed by default?
Rpcbind is priority standard. It is neither "essential" nor
"required". Thus whether it is installed by default or not depends on
how you d
Reco wrote:
> Bob Proulx wrote:
> > Is 'rpcbind' installed by default? I will need to look. I wonder why
> > it would be there?
>
> Part of a NFS client, I guess. Package is not marked as an essential one,
> though. Running a diskless client over NFS would be a curious trick
> without NFS suppor
On Mon, Oct 28, 2013 at 10:19:43AM -0600, Joe Pfeiffer wrote:
> Reco writes:
> >> You also have to add to the picture such a vulnerability, and I haven't
> >> noticed any.
> >
> > If we're speaking of public vulnerabilities:
> >
> > CVE-2010-0427.
>
> Does not permit users outside of those in the
On Mon, Oct 28, 2013 at 11:45:03AM -0600, Bob Proulx wrote:
> Reco wrote:
> > Bob Proulx wrote:
> > > And one must be careful of throwing stones. For example Debian does
> > > not provide a firewall by default. And it is debatable if it needs
> > > one. Many people don't configure one. Many peo
Reco wrote:
> Bob Proulx wrote:
> > And one must be careful of throwing stones. For example Debian does
> > not provide a firewall by default. And it is debatable if it needs
> > one. Many people don't configure one. Many people do. It all
> > depends upon many things about the use case. I do
On Mon, Oct 28, 2013 at 1:51 PM, Reco wrote:
> On Mon, Oct 28, 2013 at 09:37:02AM -0400, Tom H wrote:
>> On Sun, Oct 27, 2013 at 3:31 AM, Reco wrote:
>>> On Sat, 26 Oct 2013 21:50:23 +
>>> Tom H wrote:
On Fri, Oct 25, 2013 at 9:16 PM, Reco wrote:
>
> Yes, but pfexec is not sudo
Reco writes:
> On Sun, Oct 27, 2013 at 09:28:51PM -0600, Joe Pfeiffer wrote:
>> Reco writes:
>> > True, you need to add to the picture that curious user who just read on
>> > Bugtraq or Full Disclosure about fresh vulnerability in sudo. Or that
>> > disgruntled user who needs /etc/system changed
On Mon, Oct 28, 2013 at 03:56:32PM +0200, Lars Noodén wrote:
> On 10/28/2013 03:47 PM, Reco wrote:
> > On Sun, Oct 27, 2013 at 09:28:51PM -0600, Joe Pfeiffer wrote:
> [snip]
> >> You also have to add to the picture such a vulnerability, and I haven't
> >> noticed any.
> >
> > If we're speaking of
On Sun, Oct 27, 2013 at 08:15:43PM -0600, Bob Proulx wrote:
> Reco wrote:
> > Oh. You mean that HP suddenly transformed to good fairies and stopped
> > charging extra for aCC? Or IBM received an encrypted signal from their
> > supervisors from Mars and did the same to vacc? And don't even mention
>
On 10/28/2013 03:47 PM, Reco wrote:
> On Sun, Oct 27, 2013 at 09:28:51PM -0600, Joe Pfeiffer wrote:
[snip]
>> You also have to add to the picture such a vulnerability, and I haven't
>> noticed any.
>
> If we're speaking of public vulnerabilities:
>
> CVE-2010-0427.
> CVE-2013-1775 (allows bypass
On Mon, Oct 28, 2013 at 09:37:02AM -0400, Tom H wrote:
> On Sun, Oct 27, 2013 at 3:31 AM, Reco wrote:
> > On Sat, 26 Oct 2013 21:50:23 +
> > Tom H wrote:
> >> On Fri, Oct 25, 2013 at 9:16 PM, Reco wrote:
> >>>
> >>> Yes, but pfexec is not sudo. And privilege-aware Solaris shells are
> >>> de
On Sun, Oct 27, 2013 at 09:28:51PM -0600, Joe Pfeiffer wrote:
> Reco writes:
> > True, you need to add to the picture that curious user who just read on
> > Bugtraq or Full Disclosure about fresh vulnerability in sudo. Or that
> > disgruntled user who needs /etc/system changed right here and now.
On Sun, Oct 27, 2013 at 3:31 AM, Reco wrote:
> On Sat, 26 Oct 2013 21:50:23 +
> Tom H wrote:
>> On Fri, Oct 25, 2013 at 9:16 PM, Reco wrote:
>>>
>>> Yes, but pfexec is not sudo. And privilege-aware Solaris shells are
>>> definitely not sudo too.
>>
>> It might not be sudo but it's the same p
Reco writes:
> Tom H wrote:
>> On Fri, Oct 25, 2013 at 9:16 PM, Reco wrote:
>> >>> Considering that primary usage of sudo is to provide controlled
>> >>> privilege escalation to uid=0, using unsupported (therefore - not
>> >>> updated unless local sysadmins care about security) sudo on these OS
Reco wrote:
> Bob Proulx wrote:
> > Most of those systems ship very little by their vendors. I have used
> > them for many years and almost all of the software that you will use
> > on those systems will have been compiled and installed by the local
> > admin. IMNHO they are mainly a good solid b
Hi.
On Sat, 26 Oct 2013 21:50:23 +
Tom H wrote:
> On Fri, Oct 25, 2013 at 9:16 PM, Reco wrote:
>
>
> > Yes, but pfexec is not sudo. And privilege-aware Solaris shells are
> > definitely not sudo too.
>
> It might not be sudo but it's the same principle of privilege escalation.
>
> sudo
On Fri, Oct 25, 2013 at 9:16 PM, Reco wrote:
> On Fri, 25 Oct 2013 20:28:57 +
> Tom H wrote:
>> On Fri, Oct 25, 2013 at 7:41 PM, wrote:
>>> On Fri, 25 Oct 2013 12:31:55 -0600
>>> Bob Proulx wrote:
Sudo has been on
HP-UX, SunOS, Solaris, IBM AIX and others for many years. It is
On Fri, 25 Oct 2013 23:17:06 +0200
Ralf Mardorf wrote:
> On Sat, 2013-10-26 at 01:07 +0400, Reco wrote:
> > Passwords stored in a plain text files in a recyclebin (or on a sheet
> > of paper under the keyboard).
>
> Female sysadmins wearing slips of paper on the forehead with
> passphrases: http
On Sat, 2013-10-26 at 01:34 +0400, Reco wrote:
> Please tell that to that Lennart Poeterring guy who invented his own
> RealTimeGizmo for his beloved PulseAudio ;)
Ok, now I'm able to resist. I love to be marxbrotherish, but with
respect to the list, I try to fake, that I don't know who this girl
On Fri, 25 Oct 2013 22:10:35 +0200
Ralf Mardorf wrote:
> In the past I was against sudo, but nowadays I set up a root account
> (su) and sudo for my Linux and if I use Ubuntu I usually keep it as is,
> IOW just sudo, no root account. Security doesn't suffer from sudo, OTOH
> "ich bin schmerzfrei"
On Sat, 2013-10-26 at 01:07 +0400, Reco wrote:
> Passwords stored in a plain text files in a recyclebin (or on a sheet
> of paper under the keyboard).
Female sysadmins wearing slips of paper on the forehead with
passphrases: http://www.kingmatz.com/Bilder%202007/2009/mk/RIMG0206.JPG
--
To UNSUB
On Fri, 25 Oct 2013 20:28:57 +
Tom H wrote:
> On Fri, Oct 25, 2013 at 7:41 PM, wrote:
> > On Fri, 25 Oct 2013 12:31:55 -0600
> > Bob Proulx wrote:
>
>
> >> Sudo has been on
> >> HP-UX, SunOS, Solaris, IBM AIX and others for many years. It isn't
> >> anything new. It is a good worthy to
On Fri, 25 Oct 2013 14:21:37 -0600
Bob Proulx wrote:
> recovery...@gmail.com wrote:
> > Bob Proulx wrote:
> > This is not entirely correct. Sudo is considered third-party software
> > in HP-UX (HP merely builds it and doesn't install by default), AIX (not
> > provided by IBM and therefore not sup
On Fri, Oct 25, 2013 at 7:41 PM, wrote:
> On Fri, 25 Oct 2013 12:31:55 -0600
> Bob Proulx wrote:
>> Sudo has been on
>> HP-UX, SunOS, Solaris, IBM AIX and others for many years. It isn't
>> anything new. It is a good worthy tool.
>
> This is not entirely correct. Sudo is considered third-par
recovery...@gmail.com wrote:
> Bob Proulx wrote:
> > Sudo has been on HP-UX, SunOS, Solaris, IBM AIX and others for
> > many years. It isn't anything new. It is a good worthy tool.
>
> This is not entirely correct. Sudo is considered third-party software
> in HP-UX (HP merely builds it and doesn
This seems to be an unintended initiated thread by me :D.
In the past I was against sudo, but nowadays I set up a root account
(su) and sudo for my Linux and if I use Ubuntu I usually keep it as is,
IOW just sudo, no root account. Security doesn't suffer from sudo, OTOH
"ich bin schmerzfrei" as we
Hi.
On Fri, 25 Oct 2013 12:31:55 -0600
Bob Proulx wrote:
> Sudo has been on
> HP-UX, SunOS, Solaris, IBM AIX and others for many years. It isn't
> anything new. It is a good worthy tool.
This is not entirely correct. Sudo is considered third-party software
in HP-UX (HP merely builds it and d
53 matches
Mail list logo
