Mailinglist Archive: opensuse (671 mails)
| < Previous | Next > |
Re: [opensuse] Risky ssh + sudo behaviour?
- From: Tejas Guruswamy <tejas.guruswamy@xxxxxxxxxxxx>
- Date: Mon, 06 Jun 2011 20:23:57 +0100
- Message-id: <4DED294D.9090701@opensuse.org>
On 06/06/11 18:03, Edwin Helbert Aponte Angarita wrote:
This is a known for many years feature/issue. Basically sudo doesn't delete tty tickets when the tty disappears, so the if you close your authorised terminal, and open another one and it happens to get the same tty number - it is still authorised. (see files under /var/run/sudo, this is with tty_tickets already enabled (the default) - without it's even worse)
But noone important seems to believe this is a genuine security vulnerability ... for example here is an ubuntu bug discussing it without resolution for the last four years:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/87023
It does make me uneasy ... although if an attacker has access to a sudo-enabled account you're probably hosed anyway ...
Regards,
Tejas
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
On Wed, 2011-06-01 at 09:11 +0200, Petr Uzel wrote:
On Tue, May 31, 2011 at 05:42:40PM -0700, John Andersen wrote:I'm very sorry for not answering before. I thought this tread was ended.
On 5/31/2011 3:40 PM, Anders Johansson wrote:This is the default, but it can be overriden by setting "tty_tickets"
On Wednesday 01 June 2011 00:24:22 Edwin Helbert Aponte Angarita wrote:I think the point Edwin was trying to make was assume you ssh into
I think this is a security issue. An unprivileged user that knows thatThey would first need to log in as the same user the admin was using. sudo
the system is maintained remotely using ssh and, perhaps, sudo, could
keep attempting to use sudo until they gets it.
won't do that for all users. It just remembers that you have already
authenticated once, and won't force you to do it again until some time later.
a remote machine _that is being used_ by an authorized users, and
you use that person's login and then issue a sudo command.
The regular user sitting at that remote machine can then issue another
sudo without knowing root's login (allegedly).
(If I'm interpreting Edwin's posting correctly.)
I'm don't think this really works, because cashing of sudo credentials
is specific to a login session, not specific to a user id.
to off in /etc/sudoers. Edwin, you may want to check this.
Also thanks for your interest in this treat.
Let me rewrite the steps to reproduce this and pay attention to the step
4.
In the LOCAL MACHINE (openSUSE 11.4)
1. ~> ssh remote_user@remote_host
(password)
2. remote_user@remote_host:/> sudo ls /
(root password)
3. remote_user@remote_host:/> exit
Then, in the REMOTE MACHINE (also openSUSE 11.4):
4. open a _NEW_ (gnome) terminal<-- _new terminal_
5. ~> sudo ls /
_(The sudo command in the remote machine doesn't ask for root password)_
bin boot dev etc home lib ...
As John said, this doesn't work if I try to issue a sudo in a terminal
opened (in the remote machine) before I ssh the remote machine from the
local one and issue the sudo command through the ssh link. I had to
_open a new_ (gnome) terminal to make this happen.
Again, thanks.
This is a known for many years feature/issue. Basically sudo doesn't delete tty tickets when the tty disappears, so the if you close your authorised terminal, and open another one and it happens to get the same tty number - it is still authorised. (see files under /var/run/sudo, this is with tty_tickets already enabled (the default) - without it's even worse)
But noone important seems to believe this is a genuine security vulnerability ... for example here is an ubuntu bug discussing it without resolution for the last four years:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/87023
It does make me uneasy ... although if an attacker has access to a sudo-enabled account you're probably hosed anyway ...
Regards,
Tejas
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |