blob: 6979ab41b61cefdae9f7726c205ab74a2d009536 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
<define-tag description>LTS security update</define-tag>
<define-tag moreinfo>
<p>When sudo is configured to allow a user to edit files under a
directory that they can already write to without using sudo, they can
actually edit (read and write) arbitrary files. Daniel Svartman
reported that a configuration like this might be introduced
unintentionally if the editable files are specified using wildcards,
for example:</p>
<pre>
operator ALL=(root) sudoedit /home/*/*/test.txt
</pre>
<p>The default behaviour of sudo has been changed so that it does not
allow editing of a file in a directory that the user can write to, or
that is reached by following a symlink in a directory that the user
can write to. These restrictions can be disabled, but this is
strongly discouraged.</p>
<p>For the oldoldstable distribution (squeeze), this has been fixed in
version 1.7.4p4-2.squeeze.6.</p>
<p>For the oldstable distribution (wheezy) and the stable distribution
(jessie), this will be fixed soon.</p>
</define-tag>
# do not modify the following line
#include "$(ENGLISHDIR)/lts/security/2016/dla-382.data"
# $Id$
|
