From noensr at gmail.com Wed Apr 7 16:40:01 2010 From: noensr at gmail.com (Robrecht Noens) Date: Wed, 07 Apr 2010 22:40:01 +0200 Subject: [sudo-workers] tty tickets Message-ID: <4BBCEDA1.9030902@gmail.com> Hi, I wrote a patch today that provides a boolean option "tty_check_time". When this option is on and the tty_tickets option is on, the change-time of the tty device is saved in the ticket. This should, under normal circumstances, be the same as the creation time of the tty-device (creation time itself is never available in UNIX). When sudo is called from a terminal, the change-time of the terminal is compared with the value in the ticket. If it differs, the terminal has probably been hijacked, so no access is granted. If a ticket is empty, no access is granted and the ticket is deleted, so the system keeps working when the option is set from off to on. Patches are included. Let me know what you think of it. Best regards, Robrecht Noens -------------- next part -------------- A non-text attachment was scrubbed... Name: check.c.diff Type: text/x-patch Size: 3481 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: def_data.c.diff Type: text/x-patch Size: 426 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: def_data.h.diff Type: text/x-patch Size: 438 bytes Desc: not available URL: From Todd.Miller at courtesan.com Wed Apr 7 17:34:31 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 07 Apr 2010 17:34:31 -0400 Subject: [sudo-workers] tty tickets In-Reply-To: Your message of "Wed, 07 Apr 2010 22:40:01 +0200." <4BBCEDA1.9030902@gmail.com> References: <4BBCEDA1.9030902@gmail.com> Message-ID: <201004072134.o37LYVaY012412@core.courtesan.com> That's an interesting idea. Anything that changes the mode on the tty, such as mesg(1) will cause the ctime to be updated but that's not a common thing to do. I think you can avoid having to store the tty's ctime directly in the timestamp file by just comparing the tty's ctime to the mtime of the timestamp file minus the value of timestamp_timeout. - todd From noensr at gmail.com Wed Apr 7 17:59:24 2010 From: noensr at gmail.com (Robrecht Noens) Date: Wed, 07 Apr 2010 23:59:24 +0200 Subject: [sudo-workers] tty tickets In-Reply-To: <201004072134.o37LYVaY012412@core.courtesan.com> References: <4BBCEDA1.9030902@gmail.com> <201004072134.o37LYVaY012412@core.courtesan.com> Message-ID: <4BBD003C.7050703@gmail.com> I agree that your approach is cleaner, but there is also the issue of changing timezones, or changing your clock in general. By saving the creation time, you have something that's harder to spoof. Robrecht From Siem.Korteweg at qnh.nl Wed Apr 28 07:13:56 2010 From: Siem.Korteweg at qnh.nl (Siem Korteweg) Date: Wed, 28 Apr 2010 13:13:56 +0200 Subject: [sudo-workers] sudo ldap: handle multiple roles with same name Message-ID: <61F7C813E194BE4B978C9F1A16165CBE536BDB@EX01.QNH.local> Hi, sudoers2ldiff assigns (as documented) the same dn to all entries for a single user/group. The following diff assigns unique dn's by adding a sequence number when a user/group appears again in the input: [root at centos53 sudo]# diff ./sudoers2ldif ./sudo-1.7.2p5/sudoers2ldif 26d25 < my %DN; # Hold index for each cn. 82,92c81 < my $cn=$users[ 0 ]; < if ( $DN{ $cn } ) # cn already processed? < { < $cn = sprintf( "%s_%d", $users[ 0 ], $DN{ $users[ 0 ] } ); < $DN{ $users[0] } += 1; # indicate next index for this cn < } < else < { < $DN{ $users[0] } = 1; # indicate next index for this cn < } < print "dn: cn=$cn,$base\n"; --- > print "dn: cn=$users[0],$base\n"; 95c84 < print "cn: $cn\n"; --- > print "cn: $users[0]\n"; This is a crude approach. However, it avoids errors during the import. regards, Siem Korteweg