Re: Ask for password for failed commands
I concur. Vadim I like the basic idea, but I do not like that in the bogus case we still run all the priviledged user auth code. On Thu, Jul 16, 2015 at 4:30 PM, Ted Unangst t...@tedunangst.com wrote: Vadim Zhukov wrote: Ask for a password when we're going to fail() anyway, to avoid leaking information about available commands. The sudo(8) behaves the same way, FWIW. Let's say no for now. I'm not too concerned about this leak. I'm not sure what a user would hope to discover. Hasn't the sysadmin told them what commands they can run? On the other hand, running more auth code seems riskier.
Re: Ask for password for failed commands
On 17 Jul 2015, at 16:18, Bob Beck b...@openbsd.org wrote: I concur. Vadim I like the basic idea, but I do not like that in the bogus case we still run all the priviledged user auth code. sudo also has the -l flag, which lists what commands you're allowed to run. however, it looks like if you arent allowed to run anything on the local machine sudo -l will make it look like you're entering your password incorrectly rather than report that you cant run anything. so a similar problem but different. or i cant type my password good today. dlg On Thu, Jul 16, 2015 at 4:30 PM, Ted Unangst t...@tedunangst.com wrote: Vadim Zhukov wrote: Ask for a password when we're going to fail() anyway, to avoid leaking information about available commands. The sudo(8) behaves the same way, FWIW. Let's say no for now. I'm not too concerned about this leak. I'm not sure what a user would hope to discover. Hasn't the sysadmin told them what commands they can run? On the other hand, running more auth code seems riskier.
Re: Ask for password for failed commands
Vadim Zhukov wrote: Ask for a password when we're going to fail() anyway, to avoid leaking information about available commands. The sudo(8) behaves the same way, FWIW. okay? i need to think about this for a bit. there's a strange interaction where if the nopasswd option is used, you've now created the opposite problem. maybe. also, we may want to create a fake password prompt without running through all the user auth machinery, but it gets harder then because you have to run bcrypt the right number of times, etc., etc. so maybe ok, but not right away?
Re: Ask for password for failed commands
Vadim Zhukov wrote: Ask for a password when we're going to fail() anyway, to avoid leaking information about available commands. The sudo(8) behaves the same way, FWIW. Let's say no for now. I'm not too concerned about this leak. I'm not sure what a user would hope to discover. Hasn't the sysadmin told them what commands they can run? On the other hand, running more auth code seems riskier.