Sudo

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Sudo

dfeustel
I don't know whether this is or would be considered as a bug,
or whether it is generally known, but sudo, when successfully
invoked  with a password  in one shell, becomes active in all
shells of that user for the timed duration.

Dave Feustel
--
Lose, v., experience a loss, get rid of, "lose the weight"
Loose, adj., not tight, let go, free, "loose clothing"

Reply | Threaded
Open this post in threaded view
|

Re: Sudo

steven mestdagh
On Sat, Feb 11, 2006 at 09:02:41AM -0500, Dave Feustel wrote:
> I don't know whether this is or would be considered as a bug,
> or whether it is generally known, but sudo, when successfully
> invoked  with a password  in one shell, becomes active in all
> shells of that user for the timed duration.

this is normal. see timestamp_timeout in sudoers(5) if you want it to
always ask for validation.

steven

Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

Reply | Threaded
Open this post in threaded view
|

Re: Sudo

Matthew Weigel
In reply to this post by dfeustel
Dave Feustel wrote:
> I don't know whether this is or would be considered as a bug,
> or whether it is generally known,

Take a look at the tty_tickets option of sudoers(5) and the -k and -K
arguments to sudo(1).  Some other operating systems use a default
configuration file that turns it on, which may be why you were surprised.
--
  Matthew Weigel
  hacker
  [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Sudo

Otto Moerbeek
In reply to this post by dfeustel
On Sat, 11 Feb 2006, Dave Feustel wrote:

> I don't know whether this is or would be considered as a bug,
> or whether it is generally known, but sudo, when successfully
> invoked  with a password  in one shell, becomes active in all
> shells of that user for the timed duration.

This is pathetic. Why don't you read the docs before posting such a
"discovery"?

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: Sudo

dfeustel
On Saturday 11 February 2006 10:42, Otto Moerbeek wrote:

>
> On Sat, 11 Feb 2006, Dave Feustel wrote:
>
> > I don't know whether this is or would be considered as a bug,
> > or whether it is generally known, but sudo, when successfully
> > invoked  with a password  in one shell, becomes active in all
> > shells of that user for the timed duration.
>
> This is pathetic. Why don't you read the docs before posting such a
> "discovery"?
>
> -Otto

Which docs?

--
Lose, v., experience a loss, get rid of, "lose the weight"
Loose, adj., not tight, let go, free, "loose clothing"

Reply | Threaded
Open this post in threaded view
|

Re: Sudo

Tony Aberenthy
man sudo for starters.
(actually that's quite enough even for a noob like me)
(even a very out of date linux is enough)
sheesh

> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]]On Behalf Of
> Dave Feustel
> Sent: Saturday, February 11, 2006 9:50 AM
> To: Otto Moerbeek
> Cc: [hidden email]
> Subject: Re: Sudo
>
>
> On Saturday 11 February 2006 10:42, Otto Moerbeek wrote:
> >
> > On Sat, 11 Feb 2006, Dave Feustel wrote:
> >
> > > I don't know whether this is or would be considered as a bug,
> > > or whether it is generally known, but sudo, when successfully
> > > invoked  with a password  in one shell, becomes active in all
> > > shells of that user for the timed duration.
> >
> > This is pathetic. Why don't you read the docs before posting such a
> > "discovery"?
> >
> > -Otto
>
> Which docs?
>
> --
> Lose, v., experience a loss, get rid of, "lose the weight"
> Loose, adj., not tight, let go, free, "loose clothing"

Reply | Threaded
Open this post in threaded view
|

Re: Sudo

Martin Schröder
In reply to this post by dfeustel
On 2006-02-11 10:49:54 -0500, Dave Feustel wrote:
> On Saturday 11 February 2006 10:42, Otto Moerbeek wrote:
> > This is pathetic. Why don't you read the docs before posting such a
> > "discovery"?
> Which docs?

Normal OBSD users start with man afterboot. You should try it
too. Hint: It points to docs on sudo.

HTH. HAND
    Martin
--
                    http://www.tm.oneiros.de

Reply | Threaded
Open this post in threaded view
|

Re: Sudo

dfeustel
In reply to this post by Tony Aberenthy
On Saturday 11 February 2006 11:04, [hidden email] wrote:
> man sudo for starters.
> (actually that's quite enough even for a noob like me)
> (even a very out of date linux is enough)
> sheesh

Actually --with-tickets is not mentioned in sudo.
(I was sent '--with-tickets' info off-list by a helpful person.)
I found out via a google search on 'tickets sudo' about
the behavior I had discovered and reported. Then after Otto
let me know how pathetic my post was,  I went back to man sudo
but found nothing about tickets or about sudo being active in
all shells. There may be something in the sudo man page that
describes this behavior, but I haven't spotted it yet.
My reading skills must be deteriorating.


--
Lose, v., experience a loss, get rid of, "lose the weight"
Loose, adj., not tight, let go, free, "loose clothing"

Reply | Threaded
Open this post in threaded view
|

Re: Sudo

Tony Aberenthy
You sudo something, it asks for your password
You do it again soon after, it doesn't ask.
So somehow it remembers you.
Definitely more trouble, and probably opens some holes
for nasties, if it also remembers which version of you.
That's without knowing enough to have an opinion.

> -----Original Message-----
> From: Dave Feustel [mailto:[hidden email]]
> Sent: Saturday, February 11, 2006 10:58 AM
> To: [hidden email]
> Cc: Otto Moerbeek; [hidden email]
> Subject: Re: Sudo
>
>
> On Saturday 11 February 2006 11:04, [hidden email] wrote:
> > man sudo for starters.
> > (actually that's quite enough even for a noob like me)
> > (even a very out of date linux is enough)
> > sheesh
>
> Actually --with-tickets is not mentioned in sudo.
> (I was sent '--with-tickets' info off-list by a helpful person.)
> I found out via a google search on 'tickets sudo' about
> the behavior I had discovered and reported. Then after Otto
> let me know how pathetic my post was,  I went back to man sudo
> but found nothing about tickets or about sudo being active in
> all shells. There may be something in the sudo man page that
> describes this behavior, but I haven't spotted it yet.
> My reading skills must be deteriorating.
>
>
> --
> Lose, v., experience a loss, get rid of, "lose the weight"
> Loose, adj., not tight, let go, free, "loose clothing"

Reply | Threaded
Open this post in threaded view
|

Re: Sudo

Tobias Weingartner-2
In reply to this post by dfeustel
On Saturday, February 11, Dave Feustel wrote:
>
> I found out via a google search on 'tickets sudo' about
> the behavior I had discovered and reported. Then after Otto
> let me know how pathetic my post was,  I went back to man sudo
> but found nothing about tickets or about sudo being active in
> all shells. There may be something in the sudo man page that
> describes this behavior, but I haven't spotted it yet.
> My reading skills must be deteriorating.

From the first paragraph under DESCRIPTION:

  Once a user has been authenticated, a timestamp is updated and the
  user may then use sudo without a password for a short period of time
  (5 minutes unless overridden in sudoers).

Note, it says "user", not "shell the user is using".

--Toby.

Reply | Threaded
Open this post in threaded view
|

Re: Sudo

Otto Moerbeek
In reply to this post by dfeustel
On Sat, 11 Feb 2006, Dave Feustel wrote:

> On Saturday 11 February 2006 11:04, [hidden email] wrote:
> > man sudo for starters.
> > (actually that's quite enough even for a noob like me)
> > (even a very out of date linux is enough)
> > sheesh
>
> Actually --with-tickets is not mentioned in sudo.
> (I was sent '--with-tickets' info off-list by a helpful person.)
> I found out via a google search on 'tickets sudo' about
> the behavior I had discovered and reported. Then after Otto
> let me know how pathetic my post was,  I went back to man sudo
> but found nothing about tickets or about sudo being active in
> all shells. There may be something in the sudo man page that
> describes this behavior, but I haven't spotted it yet.
> My reading skills must be deteriorating.

Why do you think cross references to other manual pages exist in
almost all man pages?

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: Sudo

Martin Schröder
In reply to this post by dfeustel
On 2006-02-11 11:58:29 -0500, Dave Feustel wrote:
> all shells. There may be something in the sudo man page that
> describes this behavior, but I haven't spotted it yet.

SEE ALSO
       grep(1), su(1), stat(2), login_cap(3), sudoers(5),
       passwd(5), visudo(8)

> My reading skills must be deteriorating.

Try http://www.catb.org/~esr/faqs/smart-questions.html

HTH. HAND
    Martin
--
                    http://www.tm.oneiros.de

Reply | Threaded
Open this post in threaded view
|

Re: Sudo

dfeustel
In reply to this post by dfeustel
On Saturday 11 February 2006 12:17, Steve Tornio wrote:
> man sudoers

Thanks to all who replied.
I will try hard to be more thorough in the future.

Dave
--
Lose, v., experience a loss, get rid of, "lose the weight"
Loose, adj., not tight, let go, free, "loose clothing"

Reply | Threaded
Open this post in threaded view
|

Re: Sudo

Tony Aberenthy
In reply to this post by Tobias Weingartner-2
Tobias Weingartner wrote:

>
> On Saturday, February 11, Dave Feustel wrote:
> >
> > I found out via a google search on 'tickets sudo' about
> > the behavior I had discovered and reported. Then after Otto
> > let me know how pathetic my post was,  I went back to man sudo
> > but found nothing about tickets or about sudo being active in
> > all shells. There may be something in the sudo man page that
> > describes this behavior, but I haven't spotted it yet.
> > My reading skills must be deteriorating.
>
> >From the first paragraph under DESCRIPTION:
>
>   Once a user has been authenticated, a timestamp is updated and the
>   user may then use sudo without a password for a short period of time
>   (5 minutes unless overridden in sudoers).
>
> Note, it says "user", not "shell the user is using".
>
> --Toby.

I'm outa my depth here, but seems that any implementation
of something like sudo that belongs to the shell
is an open invitation to security disasters.

Reply | Threaded
Open this post in threaded view
|

Re: Sudo

NetNeanderthal
On 2/11/06, [hidden email] <[hidden email]> wrote:
> Tobias Weingartner wrote:
>
> I'm outa my depth here, but seems that any implementation
> of something like sudo that belongs to the shell
> is an open invitation to security disasters.

It takes a deliberate act to enable sudo for users in a default
install; as such, this poses a security threat only to the
[un|mis]informed.

If you feel the default 300 second timeout is too long, or is
generally unacceptable, you might consider the following in your
/etc/sudoers file:

# Defaults specification
Defaults  timestamp_timeout = 0

This policy will affect sudo users system-wide.  You should use
/usr/sbin/visudo to edit /etc/sudoers until you have a solid working
knowledge of its syntax.