kdesudo

[John Tapsell]

Hey all,

  Don't suppose I can persuade someone to take up this small task?

  This a serious security flaw.

  Basically I persuaded the sudo developers to add a  -k  option to
ignore the timestamp.  It now requires someone to modify kdesudo to
use this flag.

  So kdesudo should be doing     sudo -k somecommand   so that we
don't use or update the timestamp.  Doing this will be a little bit
tricky as only recent version of sudo will support this, so we'd need
to check if the -k version works, and if not fall back to not using
it.

John Tapsell

2009/3/12 John Tapsell <johnflux at gmail.com>:
> 2009/2/24 John Tapsell <johnflux at gmail.com>:
>> 2009/2/23 Parker Coates <parker.coates at gmail.com>:
>>> On Mon, Feb 23, 2009 at 17:22, Thomas Lübking wrote:
>>>> Am Monday 23 February 2009 schrieb Alex Merry:
>>>>> On Monday 23 February 2009 05:34:26 John Tapsell wrote:
>>>>> > A point brought up during the whole .desktop security problem, is
>>>>> > kdesudo. It only prompts for the password once, and then from then on
>>>>> > (for next X minutes), doesn't ask for the password again.
>>>>> >
>>>>> > So a program that wants to become root only has to wait until kdesudo
>>>>> > has been run normally, and then can run kdesudo itself, elevating
>>>>> > itself to root without the user knowing.
>>>>>
>>>>> This is a general problem with sudo. Even if we worked around it in
>>>>> kdesudo, an application could still call sudo directly after such an
>>>>> event,
>>>>> unless the sudoers file sets the timeout to 0, as Pau mentioned.
>>>>
>>>> isn't sudo somehow shellwise restricted (i.e. if you e.g. sudo from one
>>>> bash, you cannot sudo from another w/o re-entering the password)
>>>
>>> By default yes, but sudo can be configured to save the password across shells.
>>>
>>> Really, I don't think this is KDE's problem. sudo works the way it was
>>> designed to work. KDE shouldn't be trying to adjust that behaviour.
>>> Its security is largely dependent on its configuration, but that's the
>>> distro's or the user's call, not KDE's.
>>>
>>> Parker
>>
>> I have talked to the sudo developers, and they have suggested that
>> they overload the -k option to allow you to specify -k to sudo.  The
>> effect would be to neither read nor update the timeout value.
>>
>> So it seems that future version of sudo will support this.
>>
>> Trouble is, we would need to detect the version sudo to know whether
>> to pass -k or not :-/  Or maybe just try with -k and if that fails
>> retry without -k..
>
> Woohoo, this is now in sudo.
>
> From sudo version 1.7.1 there is now a -k  option to ignore the
> timestamp.   (http://www.gratisoft.us/bugzilla/show_bug.cgi?id=201 )
>
> The ball is now in our court to actually take advantage of this flag.
>
> John Tapsell
>