Comment 6 for bug 1219337

Mark Smith (tntc-tig) wrote :

This is by DESIGN?
Your design is that any user can change the time, and therefore bypass the security of sudo?
What's the justification for not having the user enter a password to change the time? Convenience?

Marc, with all due respect, did you even read the bug?

"If you disable the sudo password for your account, you will seriously compromise the security of your computer. Anyone sitting at your unattended, logged in account will have complete Root access, and remote exploits become much easier for malicious crackers."

This policy kit change adds a single condition: That the user has used sudo to escalate at some point, and it creates /exactly/ the same conditions.

I'm going to re-open this just to be sure. It seems incredible that Ubuntu would intentionally let people bypass security like that.