Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Remove insecure root 'grace period' from sudo' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Remove insecure root 'grace period' from sudo
Authored by: sheepmaster on Jun 01, '05 11:57:35AM

Um, sudo doesn't drop the ticket when you exit the shell (it doesn't even run at this point).

But nevertheless, the tty_tickets option should be sufficient to disallow a malicious widget to run as root without losing the comfort of only having to authenticate about every 5 minutes.

On a side remark, even with the sudo security issue solved, a malicious widget could still do quite some damage, like removing your home directory, so you should still be careful about which widgets you install.



[ Reply to This | # ]
Remove insecure root 'grace period' from sudo
Authored by: greed on Jun 01, '05 03:19:19PM

The problem with just using tty_tickets is that everything in the GUI is under "console", except for terminal-type windows.

So authenticating an installer (for example) will still open you up to a malicious widget, as they're both under "console".

(And yes, your user data is always at risk from something you run.)



[ Reply to This | # ]