Prev: Security of the /Users directory
Next: Snow Leopard, Firefox and Java
From: JF Mezei on 27 Nov 2009 08:04
If, from "terminal" on the GUI, I do "sudo ls /etc" and enter my password,

I can then login on the serial port, ( or via telnet) to create a
totally new session (while first one is still present) and issue a sudo
command without being prompted for password. Those would be 2 totally
separate processes, yet, they seem to share the "active" status of a
sudo command.
From: David Empson on 27 Nov 2009 08:49
JF Mezei <jfmezei.spamnot(a)vaxination.ca> wrote:

> If, from "terminal" on the GUI, I do "sudo ls /etc" and enter my password,
>
> I can then login on the serial port, ( or via telnet) to create a
> totally new session (while first one is still present) and issue a sudo
> command without being prompted for password. Those would be 2 totally
> separate processes, yet, they seem to share the "active" status of a
> sudo command.

sudo doesn't require entry of the password again if the SAME user does
another sudo command within five minutes. It doesn't matter which
terminal/process the user is using.

You don't even need another connection method to demonstrate this - two
Terminal windows is a functional equivalent.

Try it again while logging in as a different user via telnet.

I don't see a problem. If someone else connects via ssh/telnet and knows
my password to connect in the first place, I have bigger problems than
them not being prompted for the same password again to use sudo just
because I happened to use it recently.

--
David Empson
dempson(a)actrix.gen.nz
From: Barry Margolin on 27 Nov 2009 08:58
In article <008b9df9$0$17141$c3e8da3(a)news.astraweb.com>,
JF Mezei <jfmezei.spamnot(a)vaxination.ca> wrote:

> If, from "terminal" on the GUI, I do "sudo ls /etc" and enter my password,
>
> I can then login on the serial port, ( or via telnet) to create a
> totally new session (while first one is still present) and issue a sudo
> command without being prompted for password. Those would be 2 totally
> separate processes, yet, they seem to share the "active" status of a
> sudo command.

Every use of sudo is a separate process. The saved status is set by
user, in the /var/db/sudo directory.

--
Barry Margolin, barmar(a)alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
From: Tom Stiller on 27 Nov 2009 09:06
In article <008b9df9$0$17141$c3e8da3(a)news.astraweb.com>,
JF Mezei <jfmezei.spamnot(a)vaxination.ca> wrote:

> If, from "terminal" on the GUI, I do "sudo ls /etc" and enter my password,
>
> I can then login on the serial port, ( or via telnet) to create a
> totally new session (while first one is still present) and issue a sudo
> command without being prompted for password. Those would be 2 totally
> separate processes, yet, they seem to share the "active" status of a
> sudo command.

If you change (using visudo) the "Defaults:ALL timestamp_timeout" to 0,
a password will be required for _every_ sudo. This prevents any script
or other command sequence from coat-tailing a legitimate sudo.

--
Tom Stiller

PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF
 | 
Pages: 1
Prev: Security of the /Users directory
Next: Snow Leopard, Firefox and Java