2011-09-23 15:28:01 |
Simon Déziel |
description |
When deleting a user, its sudo time stamp file if any is not invalidated. This means that if the same use is recreated right after the deletion (and joined to the sudo group), the new user can do "sudo -i" without receiving a password prompt.
This could be solved by removing the files under /var/lib/sudo/<user>/ or /var/run/sudo/<user>/ (on older Ubuntu versions).
$ lsb_release -rd
Description: Ubuntu 11.04
Release: 11.04
$ apt-cache policy adduser
adduser:
Installed: 3.112+nmu1ubuntu5
Candidate: 3.112+nmu1ubuntu5
Version table:
*** 3.112+nmu1ubuntu5 0
500 http://ca.archive.ubuntu.com/ubuntu/ natty/main amd64 Packages
100 /var/lib/dpkg/status
ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: adduser 3.112+nmu1ubuntu5
ProcVersionSignature: Ubuntu 2.6.38-11.50-generic 2.6.38.8
Uname: Linux 2.6.38-11-generic x86_64
Architecture: amd64
Date: Fri Sep 23 11:03:57 2011
PackageArchitecture: all
ProcEnviron:
LANGUAGE=en_US:en
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: adduser
UpgradeStatus: No upgrade log present (probably fresh install) |
When deleting a user, its sudo time stamp file, if any, is not invalidated. This means that if the same use is recreated right after the deletion (and joined to the sudo group), the new user can do "sudo -i" without receiving a password prompt.
This could be solved by removing the files under /var/lib/sudo/<user>/ or /var/run/sudo/<user>/ (on older Ubuntu versions).
$ lsb_release -rd
Description: Ubuntu 11.04
Release: 11.04
$ apt-cache policy adduser
adduser:
Installed: 3.112+nmu1ubuntu5
Candidate: 3.112+nmu1ubuntu5
Version table:
*** 3.112+nmu1ubuntu5 0
500 http://ca.archive.ubuntu.com/ubuntu/ natty/main amd64 Packages
100 /var/lib/dpkg/status
ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: adduser 3.112+nmu1ubuntu5
ProcVersionSignature: Ubuntu 2.6.38-11.50-generic 2.6.38.8
Uname: Linux 2.6.38-11-generic x86_64
Architecture: amd64
Date: Fri Sep 23 11:03:57 2011
PackageArchitecture: all
ProcEnviron:
LANGUAGE=en_US:en
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: adduser
UpgradeStatus: No upgrade log present (probably fresh install) |
|
2011-09-23 15:28:51 |
Simon Déziel |
description |
When deleting a user, its sudo time stamp file, if any, is not invalidated. This means that if the same use is recreated right after the deletion (and joined to the sudo group), the new user can do "sudo -i" without receiving a password prompt.
This could be solved by removing the files under /var/lib/sudo/<user>/ or /var/run/sudo/<user>/ (on older Ubuntu versions).
$ lsb_release -rd
Description: Ubuntu 11.04
Release: 11.04
$ apt-cache policy adduser
adduser:
Installed: 3.112+nmu1ubuntu5
Candidate: 3.112+nmu1ubuntu5
Version table:
*** 3.112+nmu1ubuntu5 0
500 http://ca.archive.ubuntu.com/ubuntu/ natty/main amd64 Packages
100 /var/lib/dpkg/status
ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: adduser 3.112+nmu1ubuntu5
ProcVersionSignature: Ubuntu 2.6.38-11.50-generic 2.6.38.8
Uname: Linux 2.6.38-11-generic x86_64
Architecture: amd64
Date: Fri Sep 23 11:03:57 2011
PackageArchitecture: all
ProcEnviron:
LANGUAGE=en_US:en
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: adduser
UpgradeStatus: No upgrade log present (probably fresh install) |
When deleting a user, its sudo time stamp file, if any, is not invalidated. This means that if the same use is recreated right after the deletion (and joined to the sudo group), the new user can do "sudo -i" without receiving a password prompt. This problem is mitigated by the fact that the time stamp expires after a short delay but I still feel that's not right to not remove it.
This could be solved by removing the files under /var/lib/sudo/<user>/ or /var/run/sudo/<user>/ (on older Ubuntu versions).
$ lsb_release -rd
Description: Ubuntu 11.04
Release: 11.04
$ apt-cache policy adduser
adduser:
Installed: 3.112+nmu1ubuntu5
Candidate: 3.112+nmu1ubuntu5
Version table:
*** 3.112+nmu1ubuntu5 0
500 http://ca.archive.ubuntu.com/ubuntu/ natty/main amd64 Packages
100 /var/lib/dpkg/status
ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: adduser 3.112+nmu1ubuntu5
ProcVersionSignature: Ubuntu 2.6.38-11.50-generic 2.6.38.8
Uname: Linux 2.6.38-11-generic x86_64
Architecture: amd64
Date: Fri Sep 23 11:03:57 2011
PackageArchitecture: all
ProcEnviron:
LANGUAGE=en_US:en
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: adduser
UpgradeStatus: No upgrade log present (probably fresh install) |
|