sudo
Cy Schubert
Cy.Schubert at komquats.com
Sat Aug 12 22:16:45 UTC 2006
In message <44DD8D80.2060500 at wcborstel.com>, Jorn Argelo writes:
> Matt Schwartz wrote:
> > Hello list,
> >
> >
> >
> > I have noticed that since upgrading to FreeBSD 6 STABLE that sudo is
> > behaving funny. For example, sudo seems to be remembering passwords. So,
> > sudo seems not to be obeying its 5 minute password timeout. Has anyone els
> e
> > experienced this? Even after logging off and back on again, I can use sudo
> > without it prompting me for a password. I know I am preaching to the choir
> > when I say this is dangerous. How can I remedy the behavior? I have even
> > placed the following line in my sudoers file and it had no effect:
> >
> >
> >
> > meschwartz ALL=(ALL) PASSWD: ALL
> >
> >
> >
> > Some insight would be helpful. If this is the wrong list, I apologize in
> > advance.
> >
> >
> >
> >
> >
> > Thanks,
> >
> > Matt
> >
> > _______________________________________________
> > freebsd-stable at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
> >
> AFAIK it has always been that sudo still works if you log out and back
> in. But I never experienced that sudo doesn't obey the five minute
> timeout on passwords, and I'm running 6-STABLE on 3 machines.
>
> I just have this in my sudoers file, which doesn't give me any problems.
>
> %wheel ALL=(ALL) ALL
Sudo has always done this. The reason is that it touches a file that
corresponds to the tty (or pty) that it was invoked on. If you log out and
log back in again on the same tty, sudo will "remember" that you had used
it within five minutes ago. AFAIAC, this is a security issue. If someone
happens to crack your account, all they need to do is wait for you to log
out, quickly log into your account, hoping to get the same tty you had and
use sudo "memory" to obtain elevated privileges.
Solutions might be to have pty's assigned randomly or at logout have the
shell issue a sudo -k to remove your timestamp file. In bash and sh all a
person needs to do is,
trap '/usr/local/bin/sudo -k' 0
This will remove your sudo privileges at logout.
--
Cheers,
Cy Schubert <Cy.Schubert at komquats.com>
Web: http://www.komquats.com and http://www.bcbodybuilder.com
FreeBSD UNIX: <cy at FreeBSD.org> Web: http://www.FreeBSD.org
BC Government: <Cy.Schubert at gov.bc.ca>
"Lift long enough and I believe arrogance is replaced by
humility and fear by courage and selfishness by generosity
and rudeness by compassion and caring."
-- Dave Draper
More information about the freebsd-stable
mailing list