I concur. Vadim I like the basic idea, but I do not like that in the
bogus case we still run all the priviledged user auth code.
On Thu, Jul 16, 2015 at 4:30 PM, Ted Unangst t...@tedunangst.com wrote:
Vadim Zhukov wrote:
Ask for a password when we're going to fail() anyway, to avoid
leaking
On 17 Jul 2015, at 16:18, Bob Beck b...@openbsd.org wrote:
I concur. Vadim I like the basic idea, but I do not like that in the
bogus case we still run all the priviledged user auth code.
sudo also has the -l flag, which lists what commands you're allowed to run.
however, it looks like if
Vadim Zhukov wrote:
Ask for a password when we're going to fail() anyway, to avoid
leaking information about available commands. The sudo(8) behaves
the same way, FWIW.
okay?
i need to think about this for a bit. there's a strange interaction where if
the nopasswd option is used, you've now
Vadim Zhukov wrote:
Ask for a password when we're going to fail() anyway, to avoid
leaking information about available commands. The sudo(8) behaves
the same way, FWIW.
Let's say no for now. I'm not too concerned about this leak. I'm not sure what
a user would hope to discover. Hasn't the