[981] in linux-security and linux-alert archive
[linux-security] Re: SUDO problems
daemon@ATHENA.MIT.EDU (Wichert Akkerman)
Tue Jul 30 05:06:18 1996
From: wakkerma@wi.leidenuniv.nl (Wichert Akkerman)
To: blue@buttercup.cybernex.net
Date: Mon, 29 Jul 1996 14:45:49 +0200 (MDT)
Cc: linux-security@tarsier.cv.nrao.edu
Blue <blue@buttercup.cybernex.net> Wrote:
> A bit of usage has shown me a possible security hole with SUDO. SUDO
> allows multiple uses within a certain time period without reentering your
> password to ensure that you are who you say. This is a feature.
> However, if there is another terminal logged in, or logs in, during that
> period, they can use SUDO without entering a passwd. SUDO asks for a
> password to ensure that an unattended terminal isn't used to run programs
> with root, and this allows that to be circumvented.
New versions of sudo fixed this: they have a compile-time option to check
the tty the user is using as well as the accountname. You'll still can't
leave your terminal unattended though (which is never wise since physical
access is total access).
Grtz,
Wichert.