Re: sudo -K/-k ineffective
me gurpreet...@gmail.com writes: Hi, Upon doing sudo some-command as a normal user (non-root), sudo asks for password only once, subsequent invocations of sudo doesn't ask for password - even though I do sudo -k or sudo -K in between. Although sudo starts asking for password after the time stamp expiry. in other words: % sudo mkdir /newdir sudo asks for password authentication, creates the directory after successful authentication % sudo -k % sudo -K % sudo mkdir /another_new_dir sudo don't ask for password authentication, and creates the directory In sudoers file, NOPASSWD is NOT set. here is my sudeors file: http://pastebin.com/WFnXCLE1 Output of uname -a: FreeBSD foo.bar 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010 r...@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 Is this known bug? If not, then it might have security implications. It certainly might, for anyone using the -[kK] options. However, I can't reproduce it. Works as advertised when I try your example. The only settings in my sudoers file are timestamp_timeout=90,insults,!tty_tickets,!env_reset (for my own account only). And your sudoers file seems to be factory standard. I don't think sudo even knows about pam(3), so I'm not sure what could be happening here... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: sudo -K/-k ineffective
Hi, Lowell Gilbert wrote: megurpreet...@gmail.com writes: Upon doing sudosome-command as a normal user (non-root), sudo asks for password only once, subsequent invocations of sudo doesn't ask for password - even though I do sudo -k or sudo -K in between. Although sudo starts asking for password after the time stamp expiry. [...] I don't think sudo even knows about pam(3), so I'm not sure what could be happening here... Maybe there is something funny with sudo's timestamp directory? If it is mounted with option `noatime' it may have consequences similar to what you discribe. Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: sudo -K/-k ineffective
I don't see anything suspicious in the timestamp directory: foo% sudo ls -l /var/run/sudo/ total 12 drwx-- 2 root wheel 512 Aug 2 01:06 gurpreet drwx-- 2 root wheel 512 Aug 2 00:37 other drwx-- 2 root wheel 512 Aug 2 00:37 third foo% sudo ls -l /var/run/sudo/gurpreet total 8 -rw--- 1 root wheel 20 Aug 2 01:07 0 -rw--- 1 root wheel 20 Aug 2 00:59 1 also, the FS containing this directory (/ itself) is mounted without noatime. foo% mount /dev/ad0s1a on / (ufs, local) devfs on /dev (devfs, local, multilabel) 2010/8/2 Michael Grünewald michael.grunew...@laposte.net Hi, Lowell Gilbert wrote: megurpreet...@gmail.com writes: Upon doing sudosome-command as a normal user (non-root), sudo asks for password only once, subsequent invocations of sudo doesn't ask for password - even though I do sudo -k or sudo -K in between. Although sudo starts asking for password after the time stamp expiry. [...] I don't think sudo even knows about pam(3), so I'm not sure what could be happening here... Maybe there is something funny with sudo's timestamp directory? If it is mounted with option `noatime' it may have consequences similar to what you discribe. Michael -- Life is not fair. Get used to it. Be nice to nerds. Chances are you'll end up working for one. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: sudo -K/-k ineffective
... I'm no longer going to answer questions past 11 o'clock GMT. Sorry! Chris Sorry for top-posting, Android won't let me quote, but K-9 can't yet do threading. On 31 Jul 2010 03:05, Michael Toth freebsd.mt...@queldor.net wrote: On 07/30/2010 06:00 PM, Chris Rees wrote: It's by design. There's a timeout that you can set, ... Chris, That is not by design. sudo -K should remove the timestamp -- sudo -K The -K (sure kill) option is like -k except that it removes the user's time stamp entirely and may not be used in conjunction with a command or other option. This option does not require a password. -- Gurpreet, I am not sure if this is a known bug, I was not able to duplicate this on Freebsd 7.2 running sudo 1.6.9p20 Sorry for top-posting, Android won't let me quote, but K-9 can't yet do threading. On 30... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
sudo -K/-k ineffective
Hi, Upon doing sudo some-command as a normal user (non-root), sudo asks for password only once, subsequent invocations of sudo doesn't ask for password - even though I do sudo -k or sudo -K in between. Although sudo starts asking for password after the time stamp expiry. in other words: % sudo mkdir /newdir sudo asks for password authentication, creates the directory after successful authentication % sudo -k % sudo -K % sudo mkdir /another_new_dir sudo don't ask for password authentication, and creates the directory In sudoers file, NOPASSWD is NOT set. here is my sudeors file: http://pastebin.com/WFnXCLE1 Output of uname -a: FreeBSD foo.bar 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010 r...@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 Is this known bug? If not, then it might have security implications. Regards, Gurpreet Singh -- Life is not fair. Get used to it. Be nice to nerds. Chances are you'll end up working for one. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: sudo -K/-k ineffective
It's by design. There's a timeout that you can set, try man sudo. Chris Sorry for top-posting, Android won't let me quote, but K-9 can't yet do threading. On 30 Jul 2010 21:43, me gurpreet...@gmail.com wrote: Hi, Upon doing sudo some-command as a normal user (non-root), sudo asks for password only once, subsequent invocations of sudo doesn't ask for password - even though I do sudo -k or sudo -K in between. Although sudo starts asking for password after the time stamp expiry. in other words: % sudo mkdir /newdir sudo asks for password authentication, creates the directory after successful authentication % sudo -k % sudo -K % sudo mkdir /another_new_dir sudo don't ask for password authentication, and creates the directory In sudoers file, NOPASSWD is NOT set. here is my sudeors file: http://pastebin.com/WFnXCLE1 Output of uname -a: FreeBSD foo.bar 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010 r...@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 Is this known bug? If not, then it might have security implications. Regards, Gurpreet Singh -- Life is not fair. Get used to it. Be nice to nerds. Chances are you'll end up working for one. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: sudo -K/-k ineffective
On 07/30/2010 06:00 PM, Chris Rees wrote: It's by design. There's a timeout that you can set, try man sudo. Chris Chris, That is not by design. sudo -K should remove the timestamp -- sudo -K The -K (sure kill) option is like -k except that it removes the user's time stamp entirely and may not be used in conjunction with a command or other option. This option does not require a password. -- Gurpreet, I am not sure if this is a known bug, I was not able to duplicate this on Freebsd 7.2 running sudo 1.6.9p20 Sorry for top-posting, Android won't let me quote, but K-9 can't yet do threading. On 30 Jul 2010 21:43, megurpreet...@gmail.com wrote: Hi, Upon doing sudosome-command as a normal user (non-root), sudo asks for password only once, subsequent invocations of sudo doesn't ask for password - even though I do sudo -k or sudo -K in between. Although sudo starts asking for password after the time stamp expiry. in other words: % sudo mkdir /newdir sudo asks for password authentication, creates the directory after successful authentication % sudo -k % sudo -K % sudo mkdir /another_new_dir sudo don't ask for password authentication, and creates the directory In sudoers file, NOPASSWD is NOT set. here is my sudeors file: http://pastebin.com/WFnXCLE1 Output of uname -a: FreeBSD foo.bar 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010 r...@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 Is this known bug? If not, then it might have security implications. Regards, Gurpreet Singh -- Life is not fair. Get used to it. Be nice to nerds. Chances are you'll end up working for one. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org