OFF-TOPIC - *very* bad
Dear listmembers, a big please: could you try sudo -s <ROOTPASSWD> ROOTSHELL Ctrl-d (back to original shell) sudo -s ROOTSHELL !!!! No question for password. This should never happen. !!!! Ctrl-d (back to original shell) I perceive this as a serious bug. I see this here on SuSE 9.3 (both amd64 and i586) and have no other platform to test - any feedback is highly appreciated! The system asks again for the password after a certain amount of time (10min to 30min). I haven't debugged this with too much depth. Thanks in advance, take care Dieter Jurzitza -- ________________________________________________ HARMAN BECKER AUTOMOTIVE SYSTEMS Dr.-Ing. Dieter Jurzitza Manager Hardware Systems System Development Industriegebiet Ittersbach Becker-Göring Str. 16 D-76307 Karlsbad / Germany Phone: +49 (0)7248 71-1577 Fax: +49 (0)7248 71-1216 eMail: DJurzitza@harmanbecker.com Internet: http://www.becker.de ******************************************* Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und loeschen Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the contents in this e-mail is strictly forbidden. *******************************************
On Tuesday 15 November 2005 11:15, Jurzitza, Dieter wrote:
Dear listmembers, a big please: could you try
sudo -s <ROOTPASSWD> ROOTSHELL Ctrl-d (back to original shell)
sudo -s ROOTSHELL !!!! No question for password. This should never happen. !!!! Ctrl-d (back to original shell)
I perceive this as a serious bug. I see this here on SuSE 9.3 (both amd64 and i586) and have no other platform to test - any feedback is highly appreciated! The system asks again for the password after a certain amount of time (10min to 30min). I haven't debugged this with too much depth. Thanks in advance, take care
Dieter Jurzitza
Ditto SUSE 10.0 Pro (Comercial)... Jerry
Jerry Westrick schrieb:
On Tuesday 15 November 2005 11:15, Jurzitza, Dieter wrote:
Dear listmembers, a big please: could you try
sudo -s <ROOTPASSWD> ROOTSHELL Ctrl-d (back to original shell)
sudo -s ROOTSHELL !!!! No question for password. This should never happen. !!!! Ctrl-d (back to original shell)
I perceive this as a serious bug. I see this here on SuSE 9.3 (both amd64 and i586) and have no other platform to test - any feedback is highly appreciated! The system asks again for the password after a certain amount of time (10min to 30min). I haven't debugged this with too much depth. Thanks in advance, take care
Dieter Jurzitza
Ditto SUSE 10.0 Pro (Comercial)...
The same on SUSE 9.2, but this is not a bug, it's a feature. "Man sudo" reveals this in the first paragraph, in the paragraph about sudo security you also find interesting pieces of information. To change this "man sudoers" says: timestamp_timeout Number of minutes that can elapse before sudo will ask for a passwd again. The default is 5. Set this to 0 to always prompt for a password. If set to a value less than 0 the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via sudo -v and sudo -k respectively. Ciao Siegbert
Also, this feature is not Suse specific. The sudo memory is (I think) standard for sudo on most
distributions (at least RedHat and Fedora, which I can verify). Nevertheless, it is indeed a
security issue.
Cheers,
Tim
--- Siegbert Baude
Jerry Westrick schrieb:
On Tuesday 15 November 2005 11:15, Jurzitza, Dieter wrote:
Dear listmembers, a big please: could you try
sudo -s <ROOTPASSWD> ROOTSHELL Ctrl-d (back to original shell)
sudo -s ROOTSHELL !!!! No question for password. This should never happen. !!!! Ctrl-d (back to original shell)
I perceive this as a serious bug. I see this here on SuSE 9.3 (both amd64 and i586) and have no other platform to test - any feedback is highly appreciated! The system asks again for the password after a certain amount of time (10min to 30min). I haven't debugged this with too much depth. Thanks in advance, take care
Dieter Jurzitza
Ditto SUSE 10.0 Pro (Comercial)...
The same on SUSE 9.2, but this is not a bug, it's a feature. "Man sudo" reveals this in the first paragraph, in the paragraph about sudo security you also find interesting pieces of information. To change this "man sudoers" says:
timestamp_timeout Number of minutes that can elapse before sudo will ask for a passwd again. The default is 5. Set this to 0 to always prompt for a password. If set to a value less than 0 the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via sudo -v and sudo -k respectively.
Ciao Siegbert
-- Check the List-Unsubscribe header to unsubscribe For additional commands, email: suse-amd64-help@suse.com
Tim Janssen wrote:
Also, this feature is not Suse specific. The sudo memory is (I think) standard for sudo on most distributions (at least RedHat and Fedora, which I can verify). Nevertheless, it is indeed a security issue.
Cheers,
Tim --- Siegbert Baude
wrote: Jerry Westrick schrieb:
On Tuesday 15 November 2005 11:15, Jurzitza, Dieter wrote:
Dear listmembers, a big please: could you try
sudo -s <ROOTPASSWD> ROOTSHELL Ctrl-d (back to original shell)
sudo -s ROOTSHELL !!!! No question for password. This should never happen. !!!! Ctrl-d (back to original shell)
I perceive this as a serious bug. I see this here on SuSE 9.3 (both amd64 and i586) and have no other platform to test - any feedback is highly appreciated! The system asks again for the password after a certain amount of time (10min to 30min). I haven't debugged this with too much depth. Thanks in advance, take care
Dieter Jurzitza
Ditto SUSE 10.0 Pro (Comercial)...
The same on SUSE 9.2, but this is not a bug, it's a feature. "Man sudo" reveals this in the first paragraph, in the paragraph about sudo security you also find interesting pieces of information. To change this "man sudoers" says:
timestamp_timeout Number of minutes that can elapse before sudo will ask for a passwd again. The default is 5. Set this to 0 to always prompt for a password. If set to a value less than 0 the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via sudo -v and sudo -k respectively.
Ciao Siegbert
-- Check the List-Unsubscribe header to unsubscribe For additional commands, email: suse-amd64-help@suse.com
AFAIK, it has been standard practice for quite some time to not install sudo if you are concerned about security. I don't have it on my home system which has a direct connection to the internet, with good reason, or my firewall at work, which I installed a good 3 years ago.
On Tue, Nov 15, 2005 at 04:08:52AM -0500, Ken Siersma wrote:
AFAIK, it has been standard practice for quite some time to not install sudo if you are concerned about security. I don't have it on my home system which has a direct connection to the internet, with good reason, or my firewall at work, which I installed a good 3 years ago.
Actually, the opposite is true. Sudo allows you to delegate specific commands to specific people if required. Otherwise, if they ever have to do anything that requires root permissions, they have to su to root.. now _that_ is a security hole! In fact, a really secure system is one that the admin _never_ su's to root on to run commands, but does everything via sudo. That way everything you (or anyone else using sudo) does can be controlled, and it's all logged. If you don't like the timed caching of the password, change the settings on your machines to make it more secure. It's in the man pages. -- Mike Marion-Unix SysAdmin/Staff Engineer-http://www.qualcomm.com Bart: "Why the crap do we have to go to church anyway?" Marge: "You just answered your own question with that commode mouth! Besides, you kids need to learn morals and decency, and how to love your fellow man." [cut to church] Reverend Lovejoy: "...and with flaming swords, the Aramites did pierce the eyes of their fellow man, and did feast on what flowed forth!" ==> Simpsons
On 2005-11-15 21:15, Mike Marion wrote:
On Tue, Nov 15, 2005 at 04:08:52AM -0500, Ken Siersma wrote:
AFAIK, it has been standard practice for quite some time to not install sudo if you are concerned about security. I don't have it on my home system which has a direct connection to the internet, with good reason, or my firewall at work, which I installed a good 3 years ago.
Actually, the opposite is true. Sudo allows you to delegate specific commands to specific people if required. Otherwise, if they ever have to do anything that requires root permissions, they have to su to root.. now _that_ is a security hole! In fact, a really secure system is one that the admin _never_ su's to root on to run commands, but does everything via sudo. That way everything you (or anyone else using sudo) does can be controlled, and it's all logged.
If you don't like the timed caching of the password, change the settings on your machines to make it more secure. It's in the man pages.
Yeah, I was thinking the same, If you need password every time, people just do sudo su , and leave that shell open forever, and maybe forget about it. Why don't they add support for sudo in kdesu ????? Now when a user open YaST2 , kdesu ask for roots password, not very good. Better it looks for rules in sudoers, to figure out what YaST will let the user config using the login password. example if sudo allow me to run /sbin/yast2 sw_single , then YaST could allow me to click on install/remove software , but not allowing me to change installation_sources. I use my password in kdesu, but that is a hack with a /bin/su wrapper using sudo to gain root access. This part is still in HomePC status :-( YaST is all or nothing, and that is either to much or not enough for the user. Since I like YaST, it's a shame if we need to make another system that can use sudo. /birre
participants (7)
-
Birger Blixt
-
Jerry Westrick
-
Jurzitza, Dieter
-
Ken Siersma
-
Mike Marion
-
Siegbert Baude
-
Tim Janssen