[sudo-users] Re: sudo-users Digest, Vol 24, Issue 5 (On Vacation)

Dana Jaeger Jaeger at harthosp.org
Thu Dec 23 14:01:50 EST 2004 

I will be on vacation beginning Thursday 12/23 and returning Tuesday
12/28. In the event of an emergancy, please contact the tech support
help line. If your question concerns For Tivoli please contact Anca
Suciu (5-5156). 

>>> sudo-users 12/23/04 14:00 >>>

Send sudo-users mailing list submissions to
	sudo-users at sudo.ws

To subscribe or unsubscribe via the World Wide Web, visit
	http://www.sudo.ws/mailman/listinfo/sudo-users
or, via email, send a message with subject or body 'help' to
	sudo-users-request at sudo.ws

You can reach the person managing the list at
	sudo-users-owner at sudo.ws

When replying, please edit your Subject line so it is more specific
than "Re: Contents of sudo-users digest..."


Today's Topics:

   1. Defaults authenticate "feature"? (Paul Stepowski)
   2. Re: Defaults authenticate "feature"?  (Todd C. Miller)
   3. Re: Defaults authenticate "feature"? (Alek O. Komarnitsky (N-CSC))


----------------------------------------------------------------------

Message: 1
Date: Thu, 23 Dec 2004 10:49:41 +1000
From: Paul Stepowski <p.stepowski at qut.edu.au>
Subject: [sudo-users] Defaults authenticate "feature"?
To: sudo-users at sudo.ws
Message-ID: <41CA1625.1020706 at qut.edu.au>
Content-Type: text/plain; charset=us-ascii; format=flowed

Hi,

Just something I noticed using the default flag authenticate.

When sudoers has:

Defaults        authenticate

set (which is the default behaviour), the following commands
produce the following output:

---snip---
$ sudo -K
$ sudo date

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:

         #1) Respect the privacy of others.
         #2) Think before you type.

Password:
Thu Dec 23 10:44:02 EST 2004
---snip---

When sudoers has:

Defaults        !authenticate

set, the following commands produce the following output:

---snip---
$ sudo -K
$ sudo date
Thu Dec 23 10:45:22 EST 2004
---snip---

So when you disable user passwords, you're also disabling the
output of the sudo banner. This surprised me, I would have
thought the two would be independent. So IMHO, it violates
the principle of least surprise. It's not a big deal but I'm
curious if this was done deliberately.

Is this a feature or a bug?

Thanks,

Paul



------------------------------

Message: 2
Date: Wed, 22 Dec 2004 20:03:17 -0700
From: "Todd C. Miller" <Todd.Miller at courtesan.com>
Subject: Re: [sudo-users] Defaults authenticate "feature"? 
To: Paul Stepowski <p.stepowski at qut.edu.au>
Cc: sudo-users at sudo.ws
Message-ID: <200412230303.iBN33HoU011028 at xerxes.courtesan.com>

In message <41CA1625.1020706 at qut.edu.au>
	so spake Paul Stepowski (p.stepowski):

> So when you disable user passwords, you're also disabling the
> output of the sudo banner. This surprised me, I would have
> thought the two would be independent. So IMHO, it violates
> the principle of least surprise. It's not a big deal but I'm
> curious if this was done deliberately.

This is intentional, the lecture is effectively part of the password
prompt so if there is no password prompt you don't get lectured.

 - todd


------------------------------

Message: 3
Date: Wed, 22 Dec 2004 21:28:14 -0700 (MST)
From: "Alek O. Komarnitsky (N-CSC)" <alek at ast.lmco.com>
Subject: Re: [sudo-users] Defaults authenticate "feature"?
To: Todd.Miller at courtesan.com, p.stepowski at qut.edu.au
Cc: sudo-users at sudo.ws
Message-ID: <200412230428.VAA08322 at hulk.ast.lmco.com>

> From sudo-users-bounces at courtesan.com Wed Dec 22 20:03 MST 2004
> 
> In message <41CA1625.1020706 at qut.edu.au>
> 	so spake Paul Stepowski (p.stepowski):
> 
> > So when you disable user passwords, you're also disabling the
> > output of the sudo banner. This surprised me, I would have
> > thought the two would be independent. So IMHO, it violates
> > the principle of least surprise. It's not a big deal but I'm
> > curious if this was done deliberately.
> 
> This is intentional, the lecture is effectively part of the password
> prompt so if there is no password prompt you don't get lectured.
> 
>  - todd

Just to echo Todd's comments, it seems to me that if an
admin disables user passwords, then they should have 
"lectured" the user before doing so!    ;-)

alek


------------------------------

____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users

End of sudo-users Digest, Vol 24, Issue 5
*****************************************

More information about the sudo-users mailing list