[arch-general] Tired of being asked for a password for "su"? Arch has the solution
Ray Kohler
ataraxia937 at gmail.com
Wed Mar 3 09:19:17 EST 2010
On Wed, Mar 3, 2010 at 9:06 AM, Mauro Santos <registo.mailling at gmail.com> wrote:
>> Yes, same answer, you get owned. In fact, even with a password
>> required, the "5 minute grace window" for sudo does you in - some bad
>> guy just keeps trying to sudo, until you do it legitimately, thereby
>> allowing it freely for 5 minutes, and then he's got root.
>
> Isn't it possible to lock that to specific consoles with
> "Defaults tty_tickets" in /etc/sudoers ? I guess that with the 5 min.
> grace window will give a good balance between annoyance and security.
That's a nice feature, but there's still a hole in it. Consider the
case where you run sudo, close the window, and within the next 5
minutes something else allocates a PTY. It's likely to get the one you
just closed, with your ticket still good for it.
More information about the arch-general
mailing list