Bug 201 – Make sudo more secure when used from an X front-end

Bug 201 - Make sudo more secure when used from an X front-end


Summary:	Make sudo more secure when used from an X front-end

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.6.8
Hardware:	All All

Importance:	high security
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2005-11-20 04:20 MST by Samuel Lidén Borell
Modified:	2009-03-12 10:20 MDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Samuel Lidén Borell 2005-11-20 04:20:19 MST

Is it possible to add a command line option that makes sudo not update the
timestamp?

Sometimes I use gksu (an X front-end to sudo). Because every program on the X
session runs on the same TTY (unless they are started from an X terminal), this
means that all X programs will have sudo-->root permission. If this command-line
option is added, and the X front-ends used it, these front-ends would be a lot
more secure (but the user has to re-enter his password every time, though).

Comment 1 Michael Grubb 2006-05-31 14:30:25 MDT

Try looking in the sudoers manpage for the timestamp_timeout default.
And remember that you can set defaults for individual hosts, users, and runas users.

Comment 2 Samuel Lidén Borell 2006-06-05 08:34:30 MDT

No that won't help. What I want to do is to avoid situations where the sudo
session is not bound to a specific TTY (TTY tickets are enabled). This happens
when a user uses a X front-end to sudo, for instance.

I think there are two possible solutions.
1. Add a command line option that makes sudo not touch the timestamp file. Then
make the X front-ends use this option.
2. Or add a secure_tty_tickets option that behave as tty_tickets but doesn't
update the timestamps when there's no TTY.

I've changed the summary of the bug to reflect that there might be multiple
solutions to this problem.

Comment 3 John Tapsell 2009-02-23 06:39:02 MST

This is important to fix please.  KDE is now looking for a way to prevent sudo from remembering the credentials.

It is currently trivial for a program to just wait until kdesudo is run, and then simply run kdesudo itself, gaining root privillages without the user even knowing.

Comment 4 Todd C. Miller 2009-02-23 08:01:02 MST

How about if I overload the -k flag such that "sudo -k command" ignores the timestamp completely?  This would mean that sudo will always prompt for a password.

Comment 5 John Tapsell 2009-02-23 08:22:14 MST

Sounds good :)

Comment 6 Todd C. Miller 2009-03-12 10:13:09 MDT

In sudo 1.7.1 the -k flag may be specified along with a command to ignore the timestamp file.  A beta version of sudo 1.7.1 may be downloaded from http://www.sudo.ws/devel.html

Comment 7 John Tapsell 2009-03-12 10:20:24 MDT

Can I confirm that "-k" does two things:

1) Ignores the timestamp when looking to run the command, instead always prompting the user

2) Does not update the timestamp



Also, any ideas how to use this flag from a KDE app?  I guess it will have to do "sudo -V", parse the version number, then if it's greater than 1.7.1 it passes the -k flag?

Or maybe it could try passing -k, then rerun without -k if that returns an error code.