Sudo timeout issue (was: cross platform virus)

Peter Garrett peter.garrett at optusnet.com.au
Sun Apr 9 08:08:39 BST 2006 

On Sun, 09 Apr 2006 12:11:12 +1000
Sasha Tsykin <stsykin at gmail.com> wrote:

> Peter Garrett wrote:
> > On Sun, 09 Apr 2006 02:36:54 +0200
> > Hein-Pieter van Braam <hp at syntomax.com> wrote:
> > 
> >> Try opening synaptic twice in a row, the login environment that gnome is
> >> in still holds the sudo ticket, and this it can restart an app without
> >> asking for the password again. I am guessing that is the concern 
> > 
> > Indeed, you are right - perhaps the sudo "ticket" in this case should
> > apply only for the app concerned. Not sure if that is possible, but this
> > does look like a loophole.... Any app requiring sudo seems to open happily
> > without a password  if started after, say, synaptic during the time out
> > period.   : (  ...
> > 
> Only if it is in the same terminal window.
> 
Actually Sasha, I should have been more specific. My previous post said:

<quote>
The balance of probabilities is still heavily stacked against the attacker
- the time-out applies only to the shell from which the sudo command is
run.

For instance, run

sudo echo foo

from one terminal - now open another and run it again from the new one.
You get asked for a password  ( unless you were previously using pts/2 or
whatever the new shell is with sudo, and just reopened it)

In other words, if the user had just run synaptic from the menu , and then
opened a terminal and ran the malware affected program, sudo would still
request a password.

</quote>

The later post, (as you quoted me at the top of this one), was a response
to Hein-Pieter van Braam, agrreing with his point, on the following
grounds:

If you start synaptic (for example) from the *menu*, then start another
app requiring gksudo/sudo soon afterwards *from the menu*, you will see
that no password is asked the second time - as Hein-Pieter says, this is
because both are started from the same gnome-spawned shell.

So we don't disagree, but Hein-Pieter has pointed out a case where the
scenario is trivially easy to reproduce.

Peter


-- 

Linux User #343161

More information about the sounder mailing list