Follow

> When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.

sudo.ws/alerts/minus_1_uid.htm

@dethos
Meanwhile in #Debian (year 2018)

> > kde-cli-tools 4:5.12.4-1 has a hard dependency on kdesu, which indirectly depends on sudo, making it impossible to upgrade KDE without creating a serious, unnecessary security risk.

> We clearly disagree on considering sudo a security concern. At least, not from the kde packaging point of view. I'm downgrading the severity value to wishlist.

bugs.debian.org/cgi-bin/bugrep

:blobcatgiggle:

@tennoseremel but this one they addressed it pretty quickly:

debian.org/security/2019/dsa-4

Stretch and Buster already have fixes available.

@dethos They did, but nonetheless *it was* a security issue after all. Too bad nothing will likely change as a result.

Sign in to participate in the conversation
Social feed

This is a personal and private instance.