3 Sep
2019
3 Sep
'19
4:36 p.m.
Em setembro 3, 2019 11:35 Jelle van der Waa escreveu:
Thanks to anthraxx, we now restrict the PATH which `sudo extra-x86_64-build` and other sudoers specific infra uses using restrict_path. To circumvent users overridding their own PATH with tools which are used in our build scripts which basically allows privilege escalation. [1]
This shouldn't cause any issues, if they do contact me or anthraxx.
[1] https://git.archlinux.org/infrastructure.git/commit/?id=1eb1dd41f8c734380a38...
Thanks guys. Step by step we're hardening our roles. Next step, separate /usr mounted with nosuid. Next, next step, restricting sudoers even further. Cheers, Giancarlo Razzolini