First Last Prev Next    This bug is not in your last search results.
Bug 214 - Sudo caches credentials after unauthorized use
Sudo caches credentials after unauthorized use
Status: RESOLVED FIXED
Product: Sudo
Classification: Unclassified
Component: Sudo
1.6.8
PC Linux
: normal normal
Assigned To: Todd C. Miller
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-15 10:35 MDT by Jonathan Brandmeyer
Modified: 2007-07-20 07:38 MDT (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jonathan Brandmeyer 2006-05-15 10:35:01 MDT 
Consider user Jon who is not in the sudoers file.
- Jon attempts to run a command under sudo.  He supplies his correct password. 
Since he is not in the sudoers file, "this incident will be reported"
- In a short time, root adds Jon to /etc/sudoers.
- Jon runs sudo again, but sudo does not ask for his credentials this time
(because the cache timeout has not expired since the last time).

Why does sudo cache the "valid" credentials of a non-authorized user in this
case?  I don't think that this could be exploited as a security bug, but it
still feels wrong.

Additional note: current version is 1.6.8p7 (Debian Sarge version 1.6.8p7-1.4)
Comment 1 Todd C. Miller 2007-07-06 10:24:31 MDT 
Sudo tests user authentication and sudoers permissions separately.  This is not a security issue, though I can see how it might be surprising.
Comment 2 Todd C. Miller 2007-07-20 07:38:00 MDT 
Fixed in 1.6.9
First Last Prev Next    This bug is not in your last search results.