[213] in linux-security and linux-alert archive
Re: SUDO bug
daemon@ATHENA.MIT.EDU (Baba Z Buehler)
Wed Apr 19 14:29:30 1995
Reply-To: Baba Z Buehler <baba@beckman.uiuc.edu>
From: Baba Z Buehler <baba@beckman.uiuc.edu>
To: Paul Makeev <mac@lulu.RoSprint.net>
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: Your message of "Tue, 18 Apr 1995 18:42:46 +0400."
<Pine.LNX.3.91.950418183742.1220A-100000@lulu.RoSprint.net>
Date: Tue, 18 Apr 1995 23:21:03 -0500
Paul Makeev <mac@lulu.RoSprint.net> writes:
> I'm using sudo v1.1, and has detected strange thing: when user
> just entered his password to sudo prompt, he is able to make other
> sudo's w/o entering the password. It is ok. But if users logs-off,
> and logins in a short time, sudo still doesn't ask for password.
>
this isn't a bug, its a feature. :-) ... it is described in the sudo docs,
sudo has a "time limit" that a user can make repeated sudo's in without
having to re-enter his/her password. this "time limit" is specified at
compile time (i believe it is 5 minutes).
sudo touch-es a (/tmp/.odus/username) and uses the timestamp on that file
to determine if the user can make another sudo call without entering his/her
password. since sudo is only comparing the timestamp to the current time,
it doesn't matter if the user logs out and logs back in.
/tmp/.odus is mode 700, owned by root, as are the files in it. i immagine
this could be a security problem if you were nfs-exporting /tmp (but why
would you do that?)
for us here, the convienence of sudo (and the ability to let people do some
root things without giving them full root) outweighs its security risks
(which are minor)... I've also recompiled sudo so that the timeout is 2
minutes instead of 5.
if someone can think of a large security problem with the way sudo operates,
i'd like to hear it.
--
# Baba Z Buehler - 'Hackito Ergo Sum'
# Beckman Institute Systems Services, Urbana Illinois
#
# Quidquid latine dictum sit, altum viditur.
#
# WWW: http://www.beckman.uiuc.edu/groups/biss/people/baba/
# PGP public key on WWW homepage and key servers (key id: C13D8EE1)
[mod: the main reason I approved the original post was that this feature is
so strange that it might be good to call it to people's attention. --okir]
