[902] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] SUDO problems

daemon@ATHENA.MIT.EDU (Blue)
Fri Jul 12 11:40:38 1996

From: Blue <blue@buttercup.cybernex.net>
To: linux-security@tarsier.cv.nrao.edu
Date: Thu, 11 Jul 1996 14:44:05 -0400 (EDT)

Howdy folks,

Thanks for all the advice on hacking passwd for SUDO use - final result I 
hacked passwd so that it won't work on UIDs under 400.

A bit of usage has shown me a possible security hole with SUDO.  SUDO 
allows multiple uses within a certain time period without reentering your 
password to ensure that you are who you say.  This is a feature.

However, if there is another terminal logged in, or logs in, during that 
period, they can use SUDO without entering a passwd.  SUDO asks for a 
password to ensure that an unattended terminal isn't used to run programs 
with root, and this allows that to be circumvented.

People can even log off, log back in, and still be able to SUDO if under 
the time limit.

As a temporay measure I'm reducing the time limit, but does anyone know 
of a patch or the like to prevent this from happening, perhaps something 
that also identifies the tty?

   Jim Carstensen
blue@cybernex.net

home help back first fref pref prev next nref lref last post