sudo security concerns ?
Karl Hegbloom
hegbloom at pdx.edu
Thu Nov 25 21:47:11 CST 2004
I'm concerned about the security of having 'sudo' available so easily.
When I run a sudo command, it asks for my password. That's fine, but
the second time I run it, it does NOT ask for it. Once you
authenticate, it remembers that and you stay authenticated for a period
of time.
I think that opens up a security hole that could be exploited by 'virus'
or 'trojan horse' writers. When Ubuntu becomes very popular, it will
attract virus writers just as Windows has. If anything has easy access
to 'root', it can do pretty much anything it wants to.
Can sudo be configured, by default, to require a password EVERY time you
run a sudo command?
What about when I run a GUI app? Is that using 'sudo' or something
else? Will that prompt every time for password?
It lets me open a root shell without any password at all! Is that
controlled by the sudoers file, or what? Is that there for ANY user, or
only the first one created?
Is there a plan to integrate SELinux support in the future? The Fedora
people are really plugging that. People will look for it. I'd like to
have encrypted /home and swap on some machines. It would be great if
the installer and initrd setup can support that. (perhaps I'll have
time to look into doing this someday... I'm in college and very busy.)
--
Karl Hegbloom
(o_ mailto:hegbloom at pdx.edu
//\ jabber:karlheg at jabber.org
V_/_ yahoo:karlheg
More information about the ubuntu-devel
mailing list