Dear listmembers, I discovered this accidentally and never ever had had thought that something like this could happen. There are cases where a "sudo" option IMHO is preferrable over an extra root login on some console window, this is why I use it on a common base. And, when installing sudo, I cannot remember having been warned about something like this. Ok, ok, it is a RTFM issue. Nevertheless I cannot see a good reason to use 5 min password asking timeout as the default - I think that 0 min would be appropriate - whoever needs it shorter, can set it accordingly - but on his / her own risk. I think it would be a good policy for SuSE to change this as it is a risk that is adjustable and leaks should - IMHO - not be open as default. Thanks for all your feedback, take care Dieter Jurzitza -- ________________________________________________ HARMAN BECKER AUTOMOTIVE SYSTEMS Dr.-Ing. Dieter Jurzitza Manager Hardware Systems System Development Industriegebiet Ittersbach Becker-Göring Str. 16 D-76307 Karlsbad / Germany Phone: +49 (0)7248 71-1577 Fax: +49 (0)7248 71-1216 eMail: DJurzitza@harmanbecker.com Internet: http://www.becker.de
-----Ursprüngliche Nachricht----- Von: Ken Siersma [mailto:siersmak@ekkinc.com] Gesendet: Dienstag, 15. November 2005 10:09 An: suse-amd64@suse.com Betreff: Re: [suse-amd64] OFF-TOPIC - *very* bad
Also, this feature is not Suse specific. The sudo memory is (I think) standard for sudo on most distributions (at least RedHat and Fedora, which I can verify). Nevertheless, it is indeed a security issue.
Cheers,
Tim --- Siegbert Baude
wrote: Jerry Westrick schrieb:
On Tuesday 15 November 2005 11:15, Jurzitza, Dieter wrote:
Dear listmembers, a big please: could you try
sudo -s <ROOTPASSWD> ROOTSHELL Ctrl-d (back to original shell)
sudo -s ROOTSHELL !!!! No question for password. This should never happen. !!!! Ctrl-d (back to original shell)
I perceive this as a serious bug. I see this here on SuSE 9.3 (both amd64 and i586) and have no other platform to test - any feedback is highly appreciated! The system asks again for the
Tim Janssen wrote: password after a
certain amount of time (10min to 30min). I haven't debugged this with too much depth. Thanks in advance, take care
Dieter Jurzitza
Ditto SUSE 10.0 Pro (Comercial)...
The same on SUSE 9.2, but this is not a bug, it's a feature. "Man sudo" reveals this in the first paragraph, in the paragraph about sudo security you also find interesting pieces of information. To change this "man sudoers" says:
timestamp_timeout Number of minutes that can elapse before sudo will ask for a passwd again. The default is 5. Set this to 0 to always prompt for a password. If set to a value less than 0 the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via sudo -v and sudo -k respectively.
Ciao Siegbert
-- Check the List-Unsubscribe header to unsubscribe For additional commands, email: suse-amd64-help@suse.com
AFAIK, it has been standard practice for quite some time to not install sudo if you are concerned about security. I don't have it on my home system which has a direct connection to the internet, with good reason, or my firewall at work, which I installed a good 3 years ago.
-- Check the List-Unsubscribe header to unsubscribe For additional commands, email: suse-amd64-help@suse.com
******************************************* Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und loeschen Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the contents in this e-mail is strictly forbidden. *******************************************