[Bug 857502] [NEW] Deleting a user does not invalidates the user's sudo time stamp
Simon Déziel
857502 at bugs.launchpad.net
Fri Sep 23 15:27:31 UTC 2011
Public bug reported:
When deleting a user, its sudo time stamp file, if any, is not
invalidated. This means that if the same use is recreated right after
the deletion (and joined to the sudo group), the new user can do "sudo
-i" without receiving a password prompt. This problem is mitigated by
the fact that the time stamp expires after a short delay but I still
feel that's not right to not remove it.
This could be solved by removing the files under /var/lib/sudo/<user>/
or /var/run/sudo/<user>/ (on older Ubuntu versions).
$ lsb_release -rd
Description: Ubuntu 11.04
Release: 11.04
$ apt-cache policy adduser
adduser:
Installed: 3.112+nmu1ubuntu5
Candidate: 3.112+nmu1ubuntu5
Version table:
*** 3.112+nmu1ubuntu5 0
500 http://ca.archive.ubuntu.com/ubuntu/ natty/main amd64 Packages
100 /var/lib/dpkg/status
ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: adduser 3.112+nmu1ubuntu5
ProcVersionSignature: Ubuntu 2.6.38-11.50-generic 2.6.38.8
Uname: Linux 2.6.38-11-generic x86_64
Architecture: amd64
Date: Fri Sep 23 11:03:57 2011
PackageArchitecture: all
ProcEnviron:
LANGUAGE=en_US:en
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: adduser
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: adduser (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug natty
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to adduser in Ubuntu.
https://bugs.launchpad.net/bugs/857502
Title:
Deleting a user does not invalidates the user's sudo time stamp
Status in “adduser” package in Ubuntu:
New
Bug description:
When deleting a user, its sudo time stamp file, if any, is not
invalidated. This means that if the same use is recreated right after
the deletion (and joined to the sudo group), the new user can do "sudo
-i" without receiving a password prompt. This problem is mitigated by
the fact that the time stamp expires after a short delay but I still
feel that's not right to not remove it.
This could be solved by removing the files under /var/lib/sudo/<user>/
or /var/run/sudo/<user>/ (on older Ubuntu versions).
$ lsb_release -rd
Description: Ubuntu 11.04
Release: 11.04
$ apt-cache policy adduser
adduser:
Installed: 3.112+nmu1ubuntu5
Candidate: 3.112+nmu1ubuntu5
Version table:
*** 3.112+nmu1ubuntu5 0
500 http://ca.archive.ubuntu.com/ubuntu/ natty/main amd64 Packages
100 /var/lib/dpkg/status
ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: adduser 3.112+nmu1ubuntu5
ProcVersionSignature: Ubuntu 2.6.38-11.50-generic 2.6.38.8
Uname: Linux 2.6.38-11-generic x86_64
Architecture: amd64
Date: Fri Sep 23 11:03:57 2011
PackageArchitecture: all
ProcEnviron:
LANGUAGE=en_US:en
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: adduser
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/857502/+subscriptions
More information about the foundations-bugs
mailing list