https://qa.mandrakesoft.com/show_bug.cgi?id=1668
Product: drakconf
Component: drakconf
Summary: mcc starts without root password
Version: 9.0-6.1mdk
Platform: Other
OS/Version: All
Status: UNCONFIRMED
Severity: normal
Priority: P2
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]
I run mcc on a remote machine for package update.
These are the commands I run:
1. ssh <remote-machine> -l <non-root-username>
2. After login, I run "mcc" from commandline
3. It asks for root passwd. So far so good
4. mcc starts up after root passwd is given. I quit mcc.
5. Run "mcc" from commandline again. This time it starts without asking for root
passwd !!
Why ?
6. I quit mcc, logout of the remote machine.
7. Immediately, repeat steps 1 and 2. Mcc starts without asking for root passwd !!
Is there a timer associated with the root passwd in the sense that once u
authenticate, u have
"tokens" that last for the next 2 minutes ? If that is true, why are these tokens
valid even after
the remote ssh connection has ended ? If not true, then its a severe security bug.
If the non-root user who was issued these "tokens" logs out, the tokens must also
vanish.
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
