From owner-freebsd-stable@FreeBSD.ORG Sat Aug 12 22:16:45 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD87216A4DE for ; Sat, 12 Aug 2006 22:16:45 +0000 (UTC) (envelope-from Cy.Schubert@komquats.com) Received: from spqr.komquats.com (S0106002078125c0c.gv.shawcable.net [24.108.150.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id ABBFD43D46 for ; Sat, 12 Aug 2006 22:16:44 +0000 (GMT) (envelope-from Cy.Schubert@komquats.com) Received: from cwsys.cwsent.com (cwsys [10.1.1.1]) by spqr.komquats.com (Postfix) with ESMTP id A4FB34C5C6; Sat, 12 Aug 2006 15:16:43 -0700 (PDT) Received: from cwsys (localhost [127.0.0.1]) by cwsys.cwsent.com (8.13.6/8.13.6) with ESMTP id k7CMGexD050591; Sat, 12 Aug 2006 15:16:42 -0700 (PDT) (envelope-from Cy.Schubert@komquats.com) Message-Id: <200608122216.k7CMGexD050591@cwsys.cwsent.com> X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.2 From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.komquats.com/ To: Jorn Argelo In-Reply-To: Message from Jorn Argelo of "Sat, 12 Aug 2006 10:12:48 +0200." <44DD8D80.2060500@wcborstel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 12 Aug 2006 15:16:40 -0700 Sender: Cy.Schubert@komquats.com Cc: freebsd-stable@freebsd.org, Matt Schwartz Subject: Re: sudo X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Cy Schubert List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Aug 2006 22:16:45 -0000 In message <44DD8D80.2060500@wcborstel.com>, Jorn Argelo writes: > Matt Schwartz wrote: > > Hello list, > > > > > > > > I have noticed that since upgrading to FreeBSD 6 STABLE that sudo is > > behaving funny. For example, sudo seems to be remembering passwords. So, > > sudo seems not to be obeying its 5 minute password timeout. Has anyone els > e > > experienced this? Even after logging off and back on again, I can use sudo > > without it prompting me for a password. I know I am preaching to the choir > > when I say this is dangerous. How can I remedy the behavior? I have even > > placed the following line in my sudoers file and it had no effect: > > > > > > > > meschwartz ALL=(ALL) PASSWD: ALL > > > > > > > > Some insight would be helpful. If this is the wrong list, I apologize in > > advance. > > > > > > > > > > > > Thanks, > > > > Matt > > > > _______________________________________________ > > freebsd-stable@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > > > AFAIK it has always been that sudo still works if you log out and back > in. But I never experienced that sudo doesn't obey the five minute > timeout on passwords, and I'm running 6-STABLE on 3 machines. > > I just have this in my sudoers file, which doesn't give me any problems. > > %wheel ALL=(ALL) ALL Sudo has always done this. The reason is that it touches a file that corresponds to the tty (or pty) that it was invoked on. If you log out and log back in again on the same tty, sudo will "remember" that you had used it within five minutes ago. AFAIAC, this is a security issue. If someone happens to crack your account, all they need to do is wait for you to log out, quickly log into your account, hoping to get the same tty you had and use sudo "memory" to obtain elevated privileges. Solutions might be to have pty's assigned randomly or at logout have the shell issue a sudo -k to remove your timestamp file. In bash and sh all a person needs to do is, trap '/usr/local/bin/sudo -k' 0 This will remove your sudo privileges at logout. -- Cheers, Cy Schubert Web: http://www.komquats.com and http://www.bcbodybuilder.com FreeBSD UNIX: Web: http://www.FreeBSD.org BC Government: "Lift long enough and I believe arrogance is replaced by humility and fear by courage and selfishness by generosity and rudeness by compassion and caring." -- Dave Draper