Bug#429549: installation-report: option 'timestamp_timeout' in sudo config
On Sun, 2014-03-02 at 16:44 +0100, Cyril Brulebois wrote:
> Colin Watson <cjwatson@debian.org> (2007-06-18):
> > On Mon, Jun 18, 2007 at 10:31:39PM +0400, Dmitry E. Oboukhov wrote:
> > > Current installer have 2 options:
> > > 1.set root password
> > > 2.don't set root password
> > > In case 2. the configuration file sudo created with the next settings
> > >
> > > user ALL=(ALL) ALL
> > >
> > > I suggest to add an option:
> > >
> > > timestamp_timeout 0
> > >
> > > This option will prevent getting root rights by malefactor who was
> > > succeed in getting shell on user account (for example through
> > > possible holes in brouser etc.)
> > >
> > > In current case a simple script that periodically runs 'sudo
> > > command' or more complicated script that follows for logs activity
> > > /var/log/auth and runs on this log activity 'sudo command' can get
> > > full control on a system where sudo configured by installer.
> >
> > I don't think it's that simple. We tried that in Ubuntu three years
> > ago, and the net effect was that everyone got fed up of being prompted
> > for their password all the time and just ran 'sudo -s' to get a root
> > shell. We concluded that this was not a security win once we'd
> > thought about it in more detail, and reverted it.
>
> Based on Colin's feedback, I don't think we want to add this option, so
> closing this bug report.
Also, doesn't modern sudo tie the password cache to the current (p|t)ty,
in other words you can't run an attack loop in one session and hope to
use the password cached from another.
Ian.
Reply to: