Date: Sat, 12 Aug 2006 15:16:40 -0700 From: Cy Schubert <Cy.Schubert@komquats.com> To: Jorn Argelo <jorn@wcborstel.com> Cc: freebsd-stable@freebsd.org, Matt Schwartz <mes5048@verizon.net> Subject: Re: sudo Message-ID: <200608122216.k7CMGexD050591@cwsys.cwsent.com> In-Reply-To: Message from Jorn Argelo <jorn@wcborstel.com> of "Sat, 12 Aug 2006 10:12:48 %2B0200." <44DD8D80.2060500@wcborstel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <44DD8D80.2060500@wcborstel.com>, Jorn Argelo writes: > Matt Schwartz wrote: > > Hello list, > > > > > > > > I have noticed that since upgrading to FreeBSD 6 STABLE that sudo is > > behaving funny. For example, sudo seems to be remembering passwords. So, > > sudo seems not to be obeying its 5 minute password timeout. Has anyone els > e > > experienced this? Even after logging off and back on again, I can use sudo > > without it prompting me for a password. I know I am preaching to the choir > > when I say this is dangerous. How can I remedy the behavior? I have even > > placed the following line in my sudoers file and it had no effect: > > > > > > > > meschwartz ALL=(ALL) PASSWD: ALL > > > > > > > > Some insight would be helpful. If this is the wrong list, I apologize in > > advance. > > > > > > > > > > > > Thanks, > > > > Matt > > > > _______________________________________________ > > freebsd-stable@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > > > AFAIK it has always been that sudo still works if you log out and back > in. But I never experienced that sudo doesn't obey the five minute > timeout on passwords, and I'm running 6-STABLE on 3 machines. > > I just have this in my sudoers file, which doesn't give me any problems. > > %wheel ALL=(ALL) ALL Sudo has always done this. The reason is that it touches a file that corresponds to the tty (or pty) that it was invoked on. If you log out and log back in again on the same tty, sudo will "remember" that you had used it within five minutes ago. AFAIAC, this is a security issue. If someone happens to crack your account, all they need to do is wait for you to log out, quickly log into your account, hoping to get the same tty you had and use sudo "memory" to obtain elevated privileges. Solutions might be to have pty's assigned randomly or at logout have the shell issue a sudo -k to remove your timestamp file. In bash and sh all a person needs to do is, trap '/usr/local/bin/sudo -k' 0 This will remove your sudo privileges at logout. -- Cheers, Cy Schubert <Cy.Schubert@komquats.com> Web: http://www.komquats.com and http://www.bcbodybuilder.com FreeBSD UNIX: <cy@FreeBSD.org> Web: http://www.FreeBSD.org BC Government: <Cy.Schubert@gov.bc.ca> "Lift long enough and I believe arrogance is replaced by humility and fear by courage and selfishness by generosity and rudeness by compassion and caring." -- Dave Draper
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608122216.k7CMGexD050591>