program can get root permission in sudo time

Bug #377244 reported by Корбанов Динар on 2009-05-16
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu
Undecided
Unassigned
Jamie Strandboge (jdstrand) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. This is not a bug, but rather expected behavior:
https://wiki.ubuntu.com/SecurityTeam/FAQ#Sudo

Please feel free to report any other bugs you may find.

security vulnerability: yes → no
visibility: private → public
Changed in ubuntu:
status: New → Invalid

then design/behavior itself is bug, or with other words, decision that this is not bug is buggy. and, if this bug cannot be fixed, at least you should fix documentation, warn that if user uses many scripts and programs which content he cannot check, and time-to-time he runs sudo command, then any of that programs has ability to gain root privilegy that mean it can change all system.

i wanted to say it can change whole system. my english is bad. and i meant if he runs many programs that he cannot check and which he cannot trust.

as i know and understand sudo session can be killed, and something like "channel" of sending commands, called pts0 or pts1 etc can be gained, and sudo session will be still not closed in it. is not it possible to make that it closes that session before it is killed?

and as i know su command that is used instead of sudo in linux distributions like fedora does not have this disadvantage. is it so? maybe because when pts or something is killed su session is closed..

and if su does not have that disadvantage, you also should fix documentation, i mean the explanation of sudo somewhere that said that sudo is more secure than su and/or root session.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers