Your message dated Sun, 2 Mar 2014 16:44:36 +0100 with message-id <20140302154436.GA18308@mraw.org> and subject line Re: Bug#429549: installation-report: option 'timestamp_timeout' in sudo config has caused the Debian Bug report #429549, regarding installation-report: option 'timestamp_timeout' in sudo config to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 429549: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429549 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: installation-report: option 'timestamp_timeout' in sudo config
- From: "Dmitry E. Oboukhov" <dimka@avanto.org>
- Date: Mon, 18 Jun 2007 22:31:39 +0400
- Message-id: <20070618183139.3114.31351.reportbug@nb.dhome.lan>
Package: installation-reports Version: 2.29 Severity: normal Current installer have 2 options: 1.set root password 2.don't set root password In case 2. the configuration file sudo created with the next settings user ALL=(ALL) ALL I suggest to add an option: timestamp_timeout 0 This option will prevent getting root rights by malefactor who was succeed in getting shell on user account (for example through possible holes in brouser etc.) In current case a simple script that periodically runs 'sudo command' or more complicated script that follows for logs activity /var/log/auth and runs on this log activity 'sudo command' can get full control on a system where sudo configured by installer.
--- End Message ---
--- Begin Message ---
- To: Colin Watson <cjwatson@debian.org>, 429549-done@bugs.debian.org
- Cc: "Dmitry E. Oboukhov" <dimka@avanto.org>
- Subject: Re: Bug#429549: installation-report: option 'timestamp_timeout' in sudo config
- From: Cyril Brulebois <kibi@debian.org>
- Date: Sun, 2 Mar 2014 16:44:36 +0100
- Message-id: <20140302154436.GA18308@mraw.org>
- In-reply-to: <20070618210156.GA3491@riva.ucam.org>
- References: <20070618183139.3114.31351.reportbug@nb.dhome.lan> <20070618210156.GA3491@riva.ucam.org>
Colin Watson <cjwatson@debian.org> (2007-06-18): > On Mon, Jun 18, 2007 at 10:31:39PM +0400, Dmitry E. Oboukhov wrote: > > Current installer have 2 options: > > 1.set root password > > 2.don't set root password > > In case 2. the configuration file sudo created with the next settings > > > > user ALL=(ALL) ALL > > > > I suggest to add an option: > > > > timestamp_timeout 0 > > > > This option will prevent getting root rights by malefactor who was > > succeed in getting shell on user account (for example through > > possible holes in brouser etc.) > > > > In current case a simple script that periodically runs 'sudo > > command' or more complicated script that follows for logs activity > > /var/log/auth and runs on this log activity 'sudo command' can get > > full control on a system where sudo configured by installer. > > I don't think it's that simple. We tried that in Ubuntu three years > ago, and the net effect was that everyone got fed up of being prompted > for their password all the time and just ran 'sudo -s' to get a root > shell. We concluded that this was not a security win once we'd > thought about it in more detail, and reverted it. Based on Colin's feedback, I don't think we want to add this option, so closing this bug report. Mraw, KiBi.Attachment: signature.asc
Description: Digital signature
--- End Message ---