Comment 31 for bug 1219337

Mark Smith (tntc-tig) wrote :

Really? If the terminal I last ran sudo in is open still on the machine, and it's unlocked, I couldn't simply change the time back to the previous sudo command an escalate?

Even if it's a remote chance, it's still an easy exploit.

/var/log/auth.log is certainly readable by a program that uses a different exploit to gain access to that admin user (say, a browser exploit) and contains the PTY and timestamp. It doesn't even have to be exact: It just has to be ~ 15 minutes after the last sudo, right?

This is a simple upgrade that even your parent distribution has adopted for their stable. Why ignore it for over a year? Can you please show me the information about the inode? My impression was that it was based on the SID, rather than inode, but perhaps that has changed.