Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: can programs run sudo ... without password within sudo's 15 minutes?

  1. #1

    can programs run sudo ... without password within sudo's 15 minutes?

    hello.
    one program can run other program.
    so can a program like firefox run something like "sudo chmod ..." and get root's permissions within 15 minutes time after i entered password for "sudo something ..." or "gksudo something ..."?
    i ask this after Re: Share your AppArmor Profiles :
    why firefox has asked for these? :
    ...
    /home/*/.sudo_as_admin_successful
    ?
    and what is, by the way, ".sudo_as_admin_successful" file in user's home directory?

    21th january 12:01 gmt : and i wrote this after http://ubuntuforums.org/showthread.php?t=1044495 .
    Last edited by q.dinar; January 21st, 2009 at 01:02 PM.

  2. #2
    Join Date
    Sep 2007
    Location
    Cambridge, MA
    Beans
    635

    Re: can programs run sudo ... without password within sudo's 15 minutes?

    You want to check out what a setuid program is about.

    And then be very careful when writing it.

  3. #3
    Join Date
    Jan 2008
    Location
    the space between spaces.
    Beans
    1,654

    Re: can programs run sudo ... without password within sudo's 15 minutes?

    I am not following... what is your exact question?
    "If a cluttered desk signs a cluttered mind, Of what, then, is an empty desk a sign?" -Albert Einstein.

  4. #4
    Join Date
    Jul 2006
    Location
    Hertfordshire
    Beans
    454
    Distro
    Kubuntu 9.04 Jaunty Jackalope

    Re: can programs run sudo ... without password within sudo's 15 minutes?

    Quote Originally Posted by q.dinar View Post
    can a program like firefox run something like "sudo chmod ..." and get root's permissions within 15 minutes time after i entered password for "sudo something ..." or "gksudo something ..."?
    Try it for yourself, open 2 bash terminals and type "sudo top" into each one. You'll be asked for your password each time. The sudo session timestamp only applies to the pts session you are running in. 2 programs running in the same pts session can re-use the timestamp, however.

    If you are concerned about the security of this behaviour, you can reduce the length of a timestamp in your sudoers file, or manually clear the timestamp after each use using "sudo -k". However, generally the sudo timestamp is not vulnerable in this way.

    Quote Originally Posted by q.dinar View Post
    what is, by the way, ".sudo_as_admin_successful" file in user's home directory?
    .sudo_as_admin_successful is a flag that sudo uses to check if you have successfully authenticated in the past. If you delete it, the first-time help will appear when you use sudo next. This applies to each user on the system, hence why it is a hidden file in your /home.

  5. #5
    Join Date
    Dec 2006
    Location
    Chicago
    Beans
    3,839

    Re: can programs run sudo ... without password within sudo's 15 minutes?

    Quote Originally Posted by SeanHodges View Post
    Try it for yourself, open 2 bash terminals and type "sudo top" into each one. You'll be asked for your password each time. The sudo session timestamp only applies to the pts session you are running in. 2 programs running in the same pts session can re-use the timestamp, however.
    A program can start a new pty which has a valid timestamp, or even kill your shell running on a pty to take it over.

    EDIT: I posted a proof-of-concept script I wrote, but it was removed by an admin in another thread, so I probably shouldn't post it anymore
    Quote Originally Posted by SeanHodges View Post
    If you are concerned about the security of this behaviour, you can reduce the length of a timestamp in your sudoers file, or manually clear the timestamp after each use using "sudo -k". However, generally the sudo timestamp is not vulnerable in this way.
    I never heard of timestamps being re-used this way with malicious intent, but I think it is a legitimate privilege escalation concern. I would suggest setting "timestamp_timeout" to "0" in the sudoers file to disable the use of timestamps.
    Last edited by cdenley; January 29th, 2009 at 06:19 PM. Reason: removed script

  6. #6

    Re: can programs run sudo ... without password within sudo's 15 minutes?

    in /etc/sudoers file of mine there are only two non-comment lines:
    root ALL=(ALL) ALL
    %admin ALL=(ALL) ALL

    can i just append "timestamp_timeout=0" line? i have read man sudoers but it is hard for me yet, and i have read man visudo that says visudo make it safer, but i think i can also simply edit it with gedit in my case. there is another command with gedit in http://ubuntuforums.org/showthread.php?t=716201 : export EDITOR=gedit && sudo visudo .

    also i have written this topic's first post after http://ubuntuforums.org/showthread.php?t=1044495 that is about a blocked topic about root logon .
    Last edited by q.dinar; January 21st, 2009 at 01:43 PM.

  7. #7
    Join Date
    Dec 2006
    Location
    Chicago
    Beans
    3,839

    Re: can programs run sudo ... without password within sudo's 15 minutes?

    You should have a line like this in sudoers:
    Code:
    Defaults env_reset
    If you don't, add it. Change that line to:
    Code:
    Defaults env_reset,timestamp_timeout=0

  8. #8

    Re: can programs run sudo ... without password within sudo's 15 minutes?

    If you don't, add it. Change that line to: ...
    thanks, i will also read about that in "man sudoers".>14:49 gmt : yes, that line is here, probably i had not noticed/seen it.<
    The sudo session timestamp only applies to the pts session you are running in. 2 programs running in the same pts session can re-use the timestamp, however.
    does that apply to gksudo? what about graphical session? if i open gksudo nautilus and then firefox (which can be quite untrustable, because is connecting to internet and can have many addons with >22th jan. 06:27 gmt: not verified not from official mozilla addon site< and closed source among them), can it use that 15 minutes gksudo time?
    Last edited by q.dinar; January 22nd, 2009 at 07:28 AM.

  9. #9
    Join Date
    Dec 2006
    Location
    Chicago
    Beans
    3,839

    Re: can programs run sudo ... without password within sudo's 15 minutes?

    Quote Originally Posted by q.dinar View Post
    does that apply to gksudo? what about graphical session? if i open gksudo nautilus and then firefox (which can be quite untrustable, because is connecting to internet and can have many addons with not verified and closed source among them), can it use that 15 minutes gksudo time?
    Launching gksudo from the "System" menu will create a timestamp for the PTS "unknown", which can be used by other gksudo sessions started the same way. If you run gksudo from the terminal, it will use the pts from that terminal.

  10. #10
    Join Date
    Dec 2006
    Location
    Chicago
    Beans
    3,839

    Re: can programs run sudo ... without password within sudo's 15 minutes?


Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •