Security Concerns with sudo (from PC Mag)
Colin Watson
cjwatson at ubuntu.com
Thu Apr 21 22:42:52 UTC 2005
On Thu, Apr 21, 2005 at 11:31:02AM -0400, John DeCarlo wrote:
> I received this last week or so.
>
> Basically it says to not let your system remember the password for 5
> minutes (default with Ubuntu), so no nasty programs use sudo to mess
> up your system.
>
> Obviously there is a compromise between security and convenience here.
>
> Is there any official position from Ubuntu folks on this issue?
We tried this briefly ages back, and reverted. The problem we found in
practice with disabling the timeout was that it became so annoying that
people tended to open a root terminal instead, which defeated the whole
purpose.
Convenience is not always directly opposed to security: sometimes, if
you make things inconvenient enough, users will simply choose to work
around your security measures, and then you lose on both fronts.
Cheers,
--
Colin Watson [cjwatson at ubuntu.com]
More information about the ubuntu-users
mailing list