kdesudo
Thomas Lübking
thomas.luebking at web.de
Mon Feb 23 22:22:05 GMT 2009
Am Monday 23 February 2009 schrieb Alex Merry:
> On Monday 23 February 2009 05:34:26 John Tapsell wrote:
> > A point brought up during the whole .desktop security problem, is
> > kdesudo. It only prompts for the password once, and then from then on
> > (for next X minutes), doesn't ask for the password again.
> >
> > So a program that wants to become root only has to wait until kdesudo
> > has been run normally, and then can run kdesudo itself, elevating
> > itself to root without the user knowing.
>
> This is a general problem with sudo. Even if we worked around it in
> kdesudo, an application could still call sudo directly after such an event,
> unless the sudoers file sets the timeout to 0, as Pau mentioned.
isn't sudo somehow shellwise restricted (i.e. if you e.g. sudo from one bash,
you cannot sudo from another w/o re-entering the password)
one could do a semi-UAC thing and at least present an "needs root access ->
Yes / No" dialog to get user confirmation...
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20090223/34858fde/attachment.htm>
More information about the kde-core-devel
mailing list