Bug 201

Summary: Make sudo more secure when used from an X front-end
Product: Sudo Reporter: Samuel Lidén Borell <samuel>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: security CC: johnflux
Priority: high    
Version: 1.6.8   
Hardware: All   
OS: All   

Description Samuel Lidén Borell 2005-11-20 04:20:19 MST 
Is it possible to add a command line option that makes sudo not update the
timestamp?

Sometimes I use gksu (an X front-end to sudo). Because every program on the X
session runs on the same TTY (unless they are started from an X terminal), this
means that all X programs will have sudo-->root permission. If this command-line
option is added, and the X front-ends used it, these front-ends would be a lot
more secure (but the user has to re-enter his password every time, though).
Comment 1 Michael Grubb 2006-05-31 14:30:25 MDT 
Try looking in the sudoers manpage for the timestamp_timeout default.
And remember that you can set defaults for individual hosts, users, and runas users.
Comment 2 Samuel Lidén Borell 2006-06-05 08:34:30 MDT 
No that won't help. What I want to do is to avoid situations where the sudo
session is not bound to a specific TTY (TTY tickets are enabled). This happens
when a user uses a X front-end to sudo, for instance.

I think there are two possible solutions.
1. Add a command line option that makes sudo not touch the timestamp file. Then
make the X front-ends use this option.
2. Or add a secure_tty_tickets option that behave as tty_tickets but doesn't
update the timestamps when there's no TTY.

I've changed the summary of the bug to reflect that there might be multiple
solutions to this problem.
Comment 3 John Tapsell 2009-02-23 06:39:02 MST 
This is important to fix please.  KDE is now looking for a way to prevent sudo from remembering the credentials.

It is currently trivial for a program to just wait until kdesudo is run, and then simply run kdesudo itself, gaining root privillages without the user even knowing.
Comment 4 Todd C. Miller 2009-02-23 08:01:02 MST 
How about if I overload the -k flag such that "sudo -k command" ignores the timestamp completely?  This would mean that sudo will always prompt for a password.
Comment 5 John Tapsell 2009-02-23 08:22:14 MST 
Sounds good :)
Comment 6 Todd C. Miller 2009-03-12 10:13:09 MDT 
In sudo 1.7.1 the -k flag may be specified along with a command to ignore the timestamp file.  A beta version of sudo 1.7.1 may be downloaded from http://www.sudo.ws/devel.html
Comment 7 John Tapsell 2009-03-12 10:20:24 MDT 
Can I confirm that "-k" does two things:

1) Ignores the timestamp when looking to run the command, instead always prompting the user

2) Does not update the timestamp



Also, any ideas how to use this flag from a KDE app?  I guess it will have to do "sudo -V", parse the version number, then if it's greater than 1.7.1 it passes the -k flag?

Or maybe it could try passing -k, then rerun without -k if that returns an error code.