kdesudo

[Gary Greene]

On Wednesday 29 April 2009 07:39:42 pm John Tapsell wrote:
> Hey all,
>
>   Don't suppose I can persuade someone to take up this small task?
>
>   This a serious security flaw.
>
>   Basically I persuaded the sudo developers to add a  -k  option to
> ignore the timestamp.  It now requires someone to modify kdesudo to
> use this flag.
>
>   So kdesudo should be doing     sudo -k somecommand   so that we
> don't use or update the timestamp.  Doing this will be a little bit
> tricky as only recent version of sudo will support this, so we'd need
> to check if the -k version works, and if not fall back to not using
> it.
>
> John Tapsell
>
> 2009/3/12 John Tapsell <johnflux at gmail.com>:
> > 2009/2/24 John Tapsell <johnflux at gmail.com>:
> >> 2009/2/23 Parker Coates <parker.coates at gmail.com>:
> >>> On Mon, Feb 23, 2009 at 17:22, Thomas Lübking wrote:
> >>>> Am Monday 23 February 2009 schrieb Alex Merry:
> >>>>> On Monday 23 February 2009 05:34:26 John Tapsell wrote:
> >>>>> > A point brought up during the whole .desktop security problem, is
> >>>>> > kdesudo. It only prompts for the password once, and then from then
> >>>>> > on (for next X minutes), doesn't ask for the password again.
> >>>>> >
> >>>>> > So a program that wants to become root only has to wait until
> >>>>> > kdesudo has been run normally, and then can run kdesudo itself,
> >>>>> > elevating itself to root without the user knowing.
> >>>>>
> >>>>> This is a general problem with sudo. Even if we worked around it in
> >>>>> kdesudo, an application could still call sudo directly after such an
> >>>>> event,
> >>>>> unless the sudoers file sets the timeout to 0, as Pau mentioned.
> >>>>
> >>>> isn't sudo somehow shellwise restricted (i.e. if you e.g. sudo from
> >>>> one bash, you cannot sudo from another w/o re-entering the password)
> >>>
> >>> By default yes, but sudo can be configured to save the password across
> >>> shells.
> >>>
> >>> Really, I don't think this is KDE's problem. sudo works the way it was
> >>> designed to work. KDE shouldn't be trying to adjust that behaviour.
> >>> Its security is largely dependent on its configuration, but that's the
> >>> distro's or the user's call, not KDE's.
> >>>
> >>> Parker
> >>
> >> I have talked to the sudo developers, and they have suggested that
> >> they overload the -k option to allow you to specify -k to sudo. Â The
> >> effect would be to neither read nor update the timeout value.
> >>
> >> So it seems that future version of sudo will support this.
> >>
> >> Trouble is, we would need to detect the version sudo to know whether
> >> to pass -k or not :-/ Â Or maybe just try with -k and if that fails
> >> retry without -k..
> >
> > Woohoo, this is now in sudo.
> >
> > From sudo version 1.7.1 there is now a -k  option to ignore the
> > timestamp. Â  (http://www.gratisoft.us/bugzilla/show_bug.cgi?id=201 )
> >
> > The ball is now in our court to actually take advantage of this flag.
> >
> > John Tapsell

My recommendation to anyone who does do this, _please make this configurable_. 
I personally dislike having the dialog pop up every time for 
re-authentication, since I'm not a n00b and am used to sudo's normal timeout 
behaviour.

-- 
Gary L. Greene, Jr.
Sent from: peorth
 00:24:11 up 88 days, 11:38, 10 users,  load average: 0.92, 0.90, 0.79
==========================================================================
Developer and Project Lead for the AltimatOS open source project
Volunteer Developer for the KDE open source project
See http://www.altimatos.com/ and http://www.kde.org/ for more information
==========================================================================

Please avoid sending me Word or PowerPoint attachments.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20090430/83bd41af/attachment.sig>