Ubuntu
adduser package

Deleting a user does not invalidates the user's sudo time stamp

Bug #857502 reported by Simon Déziel
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
adduser (Ubuntu)
New
Undecided
Unassigned

Bug Description

When deleting a user, its sudo time stamp file, if any, is not invalidated. This means that if the same use is recreated right after the deletion (and joined to the sudo group), the new user can do "sudo -i" without receiving a password prompt. This problem is mitigated by the fact that the time stamp expires after a short delay but I still feel that's not right to not remove it.

This could be solved by removing the files under /var/lib/sudo/<user>/ or /var/run/sudo/<user>/ (on older Ubuntu versions).

$ lsb_release -rd
Description: Ubuntu 11.04
Release: 11.04

$ apt-cache policy adduser
adduser:
  Installed: 3.112+nmu1ubuntu5
  Candidate: 3.112+nmu1ubuntu5
  Version table:
 *** 3.112+nmu1ubuntu5 0
        500 http://ca.archive.ubuntu.com/ubuntu/ natty/main amd64 Packages
        100 /var/lib/dpkg/status

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: adduser 3.112+nmu1ubuntu5
ProcVersionSignature: Ubuntu 2.6.38-11.50-generic 2.6.38.8
Uname: Linux 2.6.38-11-generic x86_64
Architecture: amd64
Date: Fri Sep 23 11:03:57 2011
PackageArchitecture: all
ProcEnviron:
 LANGUAGE=en_US:en
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: adduser
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
Simon Déziel (sdeziel) wrote :
description: updated
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.