Mailinglist Archive: opensuse (671 mails)

< Previous Next >
Re: [opensuse] Risky ssh + sudo behaviour?
On 07/06/11 02:16, Jim Cunning wrote:
On 06/06/2011 05:09 PM, Edwin Helbert Aponte Angarita wrote:
On Mon, 2011-06-06 at 14:25 -0700, John Andersen wrote
And you must CLOSE/exit the first ssh session in order for the subsequent
session to still have sudo rights. As Tejas points out (in another message)
you need to snag the tty number.
That's right. I had to close the first ssh session.
sudo itself provides a very simple way to deal with this "security
hole". From the man page:

-K The -K (sure kill) option is like -k except that it
removes
the user's timestamp entirely and may not be used in
conjunction with a command or other option. This option
does not require a password.

-k When used by itself, the -k (kill) option to sudo
invalidates the user's timestamp by setting the time
on it
to the Epoch. The next time sudo is run a password
will be
required. This option does not require a password
and was
added to allow a user to revoke sudo permissions from a
.logout file.

So, "sudo -k" in the user's .lougout file ought to remove any lingering
sudo rights.

Jim

Though that removes sudo authorization from ALL running tty's, not only the one you just exited. YMMV

Tejas
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
List Navigation
Follow Ups