Jerry Westrick schrieb:

On Tuesday 15 November 2005 11:15, Jurzitza, Dieter wrote:

...

Dear listmembers, a big please: could you try

sudo -s <ROOTPASSWD> ROOTSHELL Ctrl-d (back to original shell)

sudo -s ROOTSHELL !!!! No question for password. This should never happen. !!!! Ctrl-d (back to original shell)

I perceive this as a serious bug. I see this here on SuSE 9.3 (both amd64 and i586) and have no other platform to test - any feedback is highly appreciated! The system asks again for the password after a certain amount of time (10min to 30min). I haven't debugged this with too much depth. Thanks in advance, take care

Dieter Jurzitza

Ditto SUSE 10.0 Pro (Comercial)...

The same on SUSE 9.2, but this is not a bug, it's a feature. "Man sudo" reveals this in the first paragraph, in the paragraph about sudo security you also find interesting pieces of information. To change this "man sudoers" says: timestamp_timeout Number of minutes that can elapse before sudo will ask for a passwd again. The default is 5. Set this to 0 to always prompt for a password. If set to a value less than 0 the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via sudo -v and sudo -k respectively. Ciao Siegbert

Tim Janssen wrote:

Also, this feature is not Suse specific. The sudo memory is (I think) standard for sudo on most distributions (at least RedHat and Fedora, which I can verify). Nevertheless, it is indeed a security issue.

Cheers,

Tim --- Siegbert Baude wrote:

...

Jerry Westrick schrieb:

...

On Tuesday 15 November 2005 11:15, Jurzitza, Dieter wrote:

...

Dear listmembers, a big please: could you try

sudo -s <ROOTPASSWD> ROOTSHELL Ctrl-d (back to original shell)

sudo -s ROOTSHELL !!!! No question for password. This should never happen. !!!! Ctrl-d (back to original shell)

I perceive this as a serious bug. I see this here on SuSE 9.3 (both amd64 and i586) and have no other platform to test - any feedback is highly appreciated! The system asks again for the password after a certain amount of time (10min to 30min). I haven't debugged this with too much depth. Thanks in advance, take care

Dieter Jurzitza

Ditto SUSE 10.0 Pro (Comercial)...

The same on SUSE 9.2, but this is not a bug, it's a feature. "Man sudo" reveals this in the first paragraph, in the paragraph about sudo security you also find interesting pieces of information. To change this "man sudoers" says:

timestamp_timeout Number of minutes that can elapse before sudo will ask for a passwd again. The default is 5. Set this to 0 to always prompt for a password. If set to a value less than 0 the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via sudo -v and sudo -k respectively.

Ciao Siegbert

-- Check the List-Unsubscribe header to unsubscribe For additional commands, email: suse-amd64-help@suse.com

AFAIK, it has been standard practice for quite some time to not install sudo if you are concerned about security. I don't have it on my home system which has a direct connection to the internet, with good reason, or my firewall at work, which I installed a good 3 years ago.

On 2005-11-15 21:15, Mike Marion wrote:

On Tue, Nov 15, 2005 at 04:08:52AM -0500, Ken Siersma wrote:

...

AFAIK, it has been standard practice for quite some time to not install sudo if you are concerned about security. I don't have it on my home system which has a direct connection to the internet, with good reason, or my firewall at work, which I installed a good 3 years ago.

Actually, the opposite is true. Sudo allows you to delegate specific commands to specific people if required. Otherwise, if they ever have to do anything that requires root permissions, they have to su to root.. now _that_ is a security hole! In fact, a really secure system is one that the admin _never_ su's to root on to run commands, but does everything via sudo. That way everything you (or anyone else using sudo) does can be controlled, and it's all logged.

If you don't like the timed caching of the password, change the settings on your machines to make it more secure. It's in the man pages.

Yeah, I was thinking the same, If you need password every time, people just do sudo su , and leave that shell open forever, and maybe forget about it. Why don't they add support for sudo in kdesu ????? Now when a user open YaST2 , kdesu ask for roots password, not very good. Better it looks for rules in sudoers, to figure out what YaST will let the user config using the login password. example if sudo allow me to run /sbin/yast2 sw_single , then YaST could allow me to click on install/remove software , but not allowing me to change installation_sources. I use my password in kdesu, but that is a hack with a /bin/su wrapper using sudo to gain root access. This part is still in HomePC status :-( YaST is all or nothing, and that is either to much or not enough for the user. Since I like YaST, it's a shame if we need to make another system that can use sudo. /birre