[981] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: SUDO problems

daemon@ATHENA.MIT.EDU (Wichert Akkerman)
Tue Jul 30 05:06:18 1996

From: wakkerma@wi.leidenuniv.nl (Wichert Akkerman)
To: blue@buttercup.cybernex.net
Date: Mon, 29 Jul 1996 14:45:49 +0200 (MDT)
Cc: linux-security@tarsier.cv.nrao.edu


Blue <blue@buttercup.cybernex.net> Wrote:
> A bit of usage has shown me a possible security hole with SUDO.  SUDO 
> allows multiple uses within a certain time period without reentering your 
> password to ensure that you are who you say.  This is a feature.

> However, if there is another terminal logged in, or logs in, during that 
> period, they can use SUDO without entering a passwd.  SUDO asks for a 
> password to ensure that an unattended terminal isn't used to run programs 
> with root, and this allows that to be circumvented.

New versions of sudo fixed this: they have a compile-time option to check
the tty the user is using as well as the accountname. You'll still can't
leave your terminal unattended though (which is never wise since physical
access is total access).

Grtz,
  Wichert.

home help back first fref pref prev next nref lref last post