SEARCH

Enter your search query in the box above ^, or use the forum search tool.

You are not logged in.

#1 2013-01-06 08:17:48

k40s
Member
From: Kassel
Registered: 2013-01-06
Posts: 26
Website

Security issue: gksudo doesn't ask for password

When I log in, openbox starts and it lasts a bit until conky, background and the taskbar are loaded.
In this time you are able to get root access by running for example "gksudo thunar".
Then gksudo doesn't ask for a password.


Wofe!

Offline

Help fund CrunchBang, donate to the project!

#2 2013-01-06 10:47:33

bp
Member
From: Poznań, Poland
Registered: 2012-12-20
Posts: 23

Re: Security issue: gksudo doesn't ask for password

sudo nano /etc/sudoers

Defaults timestamp_timeout=X

from man sudoers:

timestamp_timeout

Number of minutes that can elapse before sudo will ask for a passwd again.  The timeout may include a fractional component if minute granularity is insufficient, for example 2.5.  The default is 15.  Set this to 0 to always prompt for a password.  If set to a value less than 0 the user's timestamp will never expire.  This can be used to allow users to create or delete their own timestamps via sudo -v and sudo -k respectively

passwd_timeout

Number of minutes before the sudo password prompt times out, or 0 for no timeout.  The timeout may include a fractional component if minute granularity is insufficient, for example 2.5.  The default is 0.

Last edited by bp (2013-01-06 10:49:07)

Offline

#3 2013-01-06 11:01:43

pvsage
Internal Affairs
From: North Carolina
Registered: 2009-10-18
Posts: 12,167

Re: Security issue: gksudo doesn't ask for password

^ I think k40s means that, during that brief period while Conky and Tint2 are loading, gksudo can launch applications as root without an initial dialog requesting the sudoers password.  If this is indeed the case, then I think this does represent a vulnerability that can potentially be exploited by malicious software.


I'm a moderator here.  How are we doing?  Feedback is encouraged.

Offline

#4 2013-01-06 18:36:57

k40s
Member
From: Kassel
Registered: 2013-01-06
Posts: 26
Website

Re: Security issue: gksudo doesn't ask for password

That's exactly what I mean!  monkey


Wofe!

Offline

Board footer

Powered by FluxBB

Copyright © 2012 CrunchBang Linux.
Proudly powered by Debian. Hosted by Linode.
Debian is a registered trademark of Software in the Public Interest, Inc.

Debian Logo