Bug 163

Summary: session handling vulnerability
Product: Sudo Reporter: Mravik Attila <evik>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED INVALID    
Severity: security    
Priority: normal    
Version: 1.6.8   
Hardware: PC   
OS: Linux   

Description Mravik Attila 2004-12-26 09:21:21 MST 
Sudo asks a password for first use and then stores it for a "session". (I think
ist about 5 minutes or so.) I found that this session is binded to user but not
to any terminal. Meaning that if I login at tty1 and use sudo, "unlocking" it
with my password, a malicious user who got a user shell could use sudo without
password.
(Well at least one more security hole is required for gaining a user shell, but
this session handling could elevate the gained privileges to (semi) root
privileges.)
I use Debian Linux 3.1, and tested only on this particular OS.
Comment 1 Todd C. Miller 2004-12-29 20:05:11 MST 
Sudo supports per-tty ticket files via the tty_tickets sudoers option; see the sudoers manual for more 
info.  Note, however that unless you explicitly kill the ticket (sudo -k) when you logout, the same user 
logging in on the the same tty within 5 minutes will not be prompted for a password.