[Pkg-mc-devel] Bug#501303: sudo with mc provides root privileges to users
Mathieu RV
robin at tcstar.myftp.org
Mon Oct 6 12:25:41 UTC 2008
Package: mc
Version: 1:4.6.1-6
Severity: critical
Tags: security
Justification: root security hole
Hello,
When a user appearing in the sudoers file use the following command :
$sudo mc
Midnight Commander starts within a root shell.
Look at the bottom left of the mc screen : root at computer:~#
Also, 'whoami' reports 'root'.
Then the user as full access to the filesystem has the root user.
It occurs even if the sudoers file do not allow access to the /usr/bin/su command to the user.
I don't know if it is a feature, but it looks strange to me. I think that system administrators using sudo functionnalities should be aware of this
behaviour.
PS : This behaviour occurs also with Ubuntu 8.04 (Hardy), on a standard desktop installation.
Thanks.
Regards,
---
Mathieu RV
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Versions of packages mc depends on:
ii libc6 2.3.6.ds1-13etch7 GNU C Library: Shared libraries
ii libglib2.0-0 2.12.4-2 The GLib library of C routines
ii libgpmg1 1.19.6-25 General Purpose Mouse - shared lib
ii libslang2 2.0.6-4 The S-Lang programming library - r
mc recommends no packages.
-- no debconf information
More information about the Pkg-mc-devel
mailing list