sudo security concerns ?
Matt Zimmerman
mdz at canonical.com
Fri Nov 26 03:25:35 CST 2004
On Thu, Nov 25, 2004 at 07:47:11PM -0800, Karl Hegbloom wrote:
> I'm concerned about the security of having 'sudo' available so easily.
> When I run a sudo command, it asks for my password. That's fine, but
> the second time I run it, it does NOT ask for it. Once you
> authenticate, it remembers that and you stay authenticated for a period
> of time.
>
> I think that opens up a security hole that could be exploited by 'virus'
> or 'trojan horse' writers. When Ubuntu becomes very popular, it will
> attract virus writers just as Windows has. If anything has easy access
> to 'root', it can do pretty much anything it wants to.
>
> Can sudo be configured, by default, to require a password EVERY time you
> run a sudo command?
This was discussed months ago; the reality is that this doesn't open any
holes which don't already exist due to the inherent design of programs like
su and sudo. Anyone who has control over a uid with access to su or sudo
has control of root as well..
--
- mdz
More information about the ubuntu-devel
mailing list