Bug 167

Summary: Files in /var/run/sudo remain after user has logged out
Product: Sudo Reporter: Joachim Nilsson <joachim.nilsson>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: enhancement CC: dirkx
Priority: low    
Version: 1.6.8   
Hardware: PC   
OS: Linux   

Description Joachim Nilsson 2005-02-02 05:09:50 MST
Hi!

This is a minor annoyance only.  I feel it's a bit unsafe to not remove the file
/var/run/sudo/$USER after the user has logged out.  Logging in again in a short
enough time frame will allow that user to use sudo again.  

It's a bit outside the scope of the sudo package, but consider a user logging in
to a rempote host to sudo a command. The user logged in using insecure telnet
and the password got snooped. The attacker monitors the connection and logs in
posing as the user and could potentially get root access because the $USER file
in /var/run/sudo/ still remained.

There are a lot of flaws to my reasoning above, but I think you get my point.

Maybe a note in the man page could be inserted about this so site admins could
add some cleanup script to each users .bash_logout or such. Again, probably not
a suitable solution to use .bash_logout but you get my drift by now.

Regards
 /Jocke
Comment 1 Todd C. Miller 2008-11-06 07:45:28 MST
*** Bug 219 has been marked as a duplicate of this bug. ***
Comment 2 Todd C. Miller 2010-06-18 16:22:50 MDT
Beginning with version 1.7.3, sudo can detect when a timestamp file is older than the user's login session on Linux with the devpts filesystem when tty tickets are in use.