On Wed, 2011-06-01 at 09:11 +0200, Petr Uzel wrote:
On Tue, May 31, 2011 at 05:42:40PM -0700, John Andersen wrote:
On 5/31/2011 3:40 PM, Anders Johansson wrote:
On Wednesday 01 June 2011 00:24:22 Edwin Helbert Aponte Angarita wrote:
I think this is a security issue. An unprivileged user that knows that the system is maintained remotely using ssh and, perhaps, sudo, could keep attempting to use sudo until they gets it.
They would first need to log in as the same user the admin was using. sudo won't do that for all users. It just remembers that you have already authenticated once, and won't force you to do it again until some time later.
I think the point Edwin was trying to make was assume you ssh into a remote machine _that is being used_ by an authorized users, and you use that person's login and then issue a sudo command.
The regular user sitting at that remote machine can then issue another sudo without knowing root's login (allegedly).
(If I'm interpreting Edwin's posting correctly.)
I'm don't think this really works, because cashing of sudo credentials is specific to a login session, not specific to a user id.
This is the default, but it can be overriden by setting "tty_tickets" to off in /etc/sudoers. Edwin, you may want to check this.
I'm very sorry for not answering before. I thought this tread was ended. Also thanks for your interest in this treat. Let me rewrite the steps to reproduce this and pay attention to the step 4. In the LOCAL MACHINE (openSUSE 11.4) 1. ~> ssh remote_user@remote_host (password) 2. remote_user@remote_host:/> sudo ls / (root password) 3. remote_user@remote_host:/> exit Then, in the REMOTE MACHINE (also openSUSE 11.4): 4. open a _NEW_ (gnome) terminal <-- _new terminal_ 5. ~> sudo ls / _(The sudo command in the remote machine doesn't ask for root password)_ bin boot dev etc home lib ... As John said, this doesn't work if I try to issue a sudo in a terminal opened (in the remote machine) before I ssh the remote machine from the local one and issue the sudo command through the ssh link. I had to _open a new_ (gnome) terminal to make this happen. Again, thanks. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org