Potential Hack in sudo?
Gabriel Gunderson
gabe at gundy.org
Sun Apr 15 00:23:10 MDT 2007
On Sat, 2007-04-14 at 23:35 -0600, Steve wrote:
> Finally out of desperation I tried this,
>
> touch ~/.sudo_as_admin_successful
> sudo /bin/bash
> su root
> passwd "mynewpassword"
Are you sure you didn't just have something like: "%somegroup
ALL=NOPASSWD: ALL" in the sudoers file and the user also happened to be
in "somegroup"?
This will do anything with sudo and *not* prompt for a password. In
which case, one could simply do a `passwd root` and set/change root's
password as long as they were in the "somegroup".
Gabe
More information about the PLUG
mailing list