Your message dated Sun, 2 Mar 2014 16:44:36 +0100
with message-id <[email protected]>
and subject line Re: Bug#429549: installation-report: option
'timestamp_timeout' in sudo config
has caused the Debian Bug report #429549,
regarding installation-report: option 'timestamp_timeout' in sudo config
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
429549: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429549
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: installation-reports
Version: 2.29
Severity: normal
Current installer have 2 options:
1.set root password
2.don't set root password
In case 2. the configuration file sudo created with the next settings
user ALL=(ALL) ALL
I suggest to add an option:
timestamp_timeout 0
This option will prevent getting root rights by malefactor who was
succeed in getting shell on user account (for example through
possible holes in brouser etc.)
In current case a simple script that periodically runs 'sudo command'
or more complicated script that follows for logs activity
/var/log/auth and runs on this log activity 'sudo command' can get
full control on a system where sudo configured by installer.
--- End Message ---
--- Begin Message ---
Colin Watson <[email protected]> (2007-06-18):
> On Mon, Jun 18, 2007 at 10:31:39PM +0400, Dmitry E. Oboukhov wrote:
> > Current installer have 2 options:
> > 1.set root password
> > 2.don't set root password
> > In case 2. the configuration file sudo created with the next settings
> >
> > user ALL=(ALL) ALL
> >
> > I suggest to add an option:
> >
> > timestamp_timeout 0
> >
> > This option will prevent getting root rights by malefactor who was
> > succeed in getting shell on user account (for example through
> > possible holes in brouser etc.)
> >
> > In current case a simple script that periodically runs 'sudo
> > command' or more complicated script that follows for logs activity
> > /var/log/auth and runs on this log activity 'sudo command' can get
> > full control on a system where sudo configured by installer.
>
> I don't think it's that simple. We tried that in Ubuntu three years
> ago, and the net effect was that everyone got fed up of being prompted
> for their password all the time and just ran 'sudo -s' to get a root
> shell. We concluded that this was not a security win once we'd
> thought about it in more detail, and reverted it.
Based on Colin's feedback, I don't think we want to add this option, so
closing this bug report.
Mraw,
KiBi.
signature.asc
Description: Digital signature
--- End Message ---
