« June 2004 | Main

November 22, 2004

sudoscript 2.1.2 Released

Only one day later than promised, sudoscript 2.1.2 has been released. This update fixes a moderately severe security bug as detailed below, and adds a nifty "ss -" feature, like "su -". Download it from the download page.

Posted by hbo at 09:12 PM | Comments (0)

November 14, 2004

Sudoscript 2.1.2 beta 1 Released

This point release features a new "-" switch to ss (like "su -") and three bug fixes, one of which is a moderately severe security bug.

The security bug only bites if you are enabling non-root access with sudoscript. But if you are, any member of the ssers group can send a SIGHUP signal to any process. Although this release is labled "beta," the changes are small. If you are in the class of users noted, you probably should upgrade right away. I'm going to leave the beta out there for just a week before going to an official release, assuming that no problems show up.

Longer term, I'm working on the session replay stuff, and thinking about rearchitecting the IPC mechanisms. This latter has been prompted by a bug report and patch from Conrad Link, among three he submitted, that pointed out the SIGHUP vulnerability. Conrad has some ideas on how to make the back-end more secure, which I'd like to mull over a bit before deciding how to proceed.

Posted by hbo at 05:19 PM | Comments (0)