Possible security risk (sudo & command history)
Jeff Waugh
jeff.waugh at canonical.com
Mon Sep 27 07:55:37 UTC 2004
On Fri, 2004-09-24 at 11:21 -0700, Brian Yoon wrote:
> I don't know if this is a security threat but I am
> able to run a sudo command without typing in my
> password.
>
> 1) sudo vi any-system-critical-file
> 2) input password
> 3) close out vi session
> 4) use the up arrow to find and run that command again
> 5) edit the file without having to enter in password
>
> I'm able to rerun the sudo command without entering a
> password by using the command history (up arrow) even
> after I close the terminal and open a new one.
>
> This could be extremely dangerous because I could
> issue a sensitive root command, close it out, leave my
> computer, and someone else could simply browse my
> command history for a sudo command.
sudo gives you root access for a (configurable) period of time after
you've entered your password. So if you wait a while, or run sudo -k,
you'll have to enter a password again.
- Jeff
--
Ooh, ooh, ooh! http://www.ubuntulinux.org/ Ubuntu!
More information about the ubuntu-users
mailing list