[Bug 857502] [NEW] Deleting a user does not invalidates the user's sudo time stamp

Simon Déziel 857502 at bugs.launchpad.net
Fri Sep 23 15:27:31 UTC 2011 

Public bug reported:

When deleting a user, its sudo time stamp file, if any, is not
invalidated. This means that if the same use is recreated right after
the deletion (and joined to the sudo group), the new user can do "sudo
-i" without receiving a password prompt. This problem is mitigated by
the fact that the time stamp expires after a short delay but I still
feel that's not right to not remove it.

This could be solved by removing the files under /var/lib/sudo/<user>/
or /var/run/sudo/<user>/ (on older Ubuntu versions).

$ lsb_release -rd
Description:	Ubuntu 11.04
Release:	11.04

$ apt-cache policy adduser
adduser:
  Installed: 3.112+nmu1ubuntu5
  Candidate: 3.112+nmu1ubuntu5
  Version table:
 *** 3.112+nmu1ubuntu5 0
        500 http://ca.archive.ubuntu.com/ubuntu/ natty/main amd64 Packages
        100 /var/lib/dpkg/status

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: adduser 3.112+nmu1ubuntu5
ProcVersionSignature: Ubuntu 2.6.38-11.50-generic 2.6.38.8
Uname: Linux 2.6.38-11-generic x86_64
Architecture: amd64
Date: Fri Sep 23 11:03:57 2011
PackageArchitecture: all
ProcEnviron:
 LANGUAGE=en_US:en
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: adduser
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: adduser (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug natty

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to adduser in Ubuntu.
https://bugs.launchpad.net/bugs/857502

Title:
  Deleting a user does not invalidates the user's sudo time stamp

Status in “adduser” package in Ubuntu:
  New

Bug description:
  When deleting a user, its sudo time stamp file, if any, is not
  invalidated. This means that if the same use is recreated right after
  the deletion (and joined to the sudo group), the new user can do "sudo
  -i" without receiving a password prompt. This problem is mitigated by
  the fact that the time stamp expires after a short delay but I still
  feel that's not right to not remove it.

  This could be solved by removing the files under /var/lib/sudo/<user>/
  or /var/run/sudo/<user>/ (on older Ubuntu versions).

  $ lsb_release -rd
  Description:	Ubuntu 11.04
  Release:	11.04

  $ apt-cache policy adduser
  adduser:
    Installed: 3.112+nmu1ubuntu5
    Candidate: 3.112+nmu1ubuntu5
    Version table:
   *** 3.112+nmu1ubuntu5 0
          500 http://ca.archive.ubuntu.com/ubuntu/ natty/main amd64 Packages
          100 /var/lib/dpkg/status

  ProblemType: Bug
  DistroRelease: Ubuntu 11.04
  Package: adduser 3.112+nmu1ubuntu5
  ProcVersionSignature: Ubuntu 2.6.38-11.50-generic 2.6.38.8
  Uname: Linux 2.6.38-11-generic x86_64
  Architecture: amd64
  Date: Fri Sep 23 11:03:57 2011
  PackageArchitecture: all
  ProcEnviron:
   LANGUAGE=en_US:en
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: adduser
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/857502/+subscriptions

More information about the foundations-bugs mailing list