Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 12 Aug 2006 15:16:40 -0700
From:      Cy Schubert <Cy.Schubert@komquats.com>
To:        Jorn Argelo <jorn@wcborstel.com>
Cc:        freebsd-stable@freebsd.org, Matt Schwartz <mes5048@verizon.net>
Subject:   Re: sudo 
Message-ID:  <200608122216.k7CMGexD050591@cwsys.cwsent.com>
In-Reply-To: Message from Jorn Argelo <jorn@wcborstel.com>  of "Sat, 12 Aug 2006 10:12:48 %2B0200." <44DD8D80.2060500@wcborstel.com> 

next in thread | previous in thread | raw e-mail | index | archive | help
In message <44DD8D80.2060500@wcborstel.com>, Jorn Argelo writes:
> Matt Schwartz wrote:
> > Hello list,
> >
> >  
> >
> > I have noticed that since upgrading to FreeBSD 6 STABLE that sudo is
> > behaving funny.  For example, sudo seems to be remembering passwords.  So,
> > sudo seems not to be obeying its 5 minute password timeout.  Has anyone els
> e
> > experienced this?  Even after logging off and back on again, I can use sudo
> > without it prompting me for a password.  I know I am preaching to the choir
> > when I say this is dangerous.  How can I remedy the behavior?  I have even
> > placed the following line in my sudoers file and it had no effect:
> >
> >  
> >
> > meschwartz       ALL=(ALL) PASSWD: ALL
> >
> >  
> >
> > Some insight would be helpful.  If this is the wrong list, I apologize in
> > advance.
> >
> >  
> >
> >  
> >
> > Thanks,
> >
> > Matt      
> >
> > _______________________________________________
> > freebsd-stable@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
> >   
> AFAIK it has always been that sudo still works if you log out and back 
> in. But I never experienced that sudo doesn't obey the five minute 
> timeout on passwords, and I'm running 6-STABLE on 3 machines.
> 
> I just have this in my sudoers file, which doesn't give me any problems.
> 
> %wheel        ALL=(ALL)       ALL

Sudo has always done this. The reason is that it touches a file that 
corresponds to the tty (or pty) that it was invoked on. If you log out and 
log back in again on the same tty, sudo will "remember" that you had used 
it within five minutes ago. AFAIAC, this is a security issue. If someone 
happens to crack your account, all they need to do is wait for you to log 
out, quickly log into your account, hoping to get the same tty you had and 
use sudo "memory" to obtain elevated privileges.

Solutions might be to have pty's assigned randomly or at logout have the 
shell issue a sudo -k to remove your timestamp file. In bash and sh all a 
person needs to do is,

	trap '/usr/local/bin/sudo -k' 0

This will remove your sudo privileges at logout.


-- 
Cheers,
Cy Schubert <Cy.Schubert@komquats.com>
Web:  http://www.komquats.com and http://www.bcbodybuilder.com
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  http://www.FreeBSD.org
BC Government:  <Cy.Schubert@gov.bc.ca>

    "Lift long enough and I believe arrogance is replaced by
    humility and fear by courage and selfishness by generosity
    and rudeness by compassion and caring."
        -- Dave Draper






Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608122216.k7CMGexD050591>