[sudo-users] proposed mail_always behavior change

Scott R. Corzine scott at ties.org
Thu Feb 12 16:13:04 MST 2015 

On Thu, Feb 12, 2015 at 1:46 PM, Todd C. Miller <Todd.Miller at courtesan.com>
wrote:
>
> On Thu, 12 Feb 2015 18:08:51 +0000, Tim Bradshaw wrote:
>
> > I don't have strong feelings, but would it be possible to
> >
> > - make the change to mail_always as you specify;
> > - add a mail_obsessively (or some better name) flag which does what
> > mail_always now does.?
>
> That's easy to do but I think I'll wait for someone to ask for it
> first :-)


Ok, I'll ask for it, but a step farther:

* Keep mail_always as it is (including list & validate).
* Introduce mail_usually (or something) with the proposed semantics.


A sudo upgrade (especially a minor one) should not make existing
configurations using long standing features any weaker.




[Sorry, long explanations follow - "I lacked the time to make it shorter"]


Security Issues:

* A successful sudo -v is NOT security-neutral since it advances the
timestamp, without password if we're still in the window. This allows
timestamp_timeout to be easily subverted:

$ while sudo -v && sleep 270; do :; done &

I'll admit that I occasionally do this if I've got an automated series of
sudo commands which need to run unattended (batch or overnight shell) and
are not guaranteed to run within the timeout every time. I have
accidentally left such a loop running in the background and getting the
alert messages allowed be to detect it.

Although I'm authorized to do this it is an unusual enough thing that it
merits human review. No other authorized user would use a construct like
this (or even use the -v option unscripted) seeing a series of
alerts/emails like this from them would be an immediate yellow flag.

* There have been previous discussions here about people/scripts misusing
-l to detect whether or not this account has an opportunity to exploit a
sudo command. It would be more in the security paranoid category (which
sudo serves too) if it wasn't for the fact that as sudo becomes
increasingly standard on OS X & Linux distributions there are non-sysadmin
shell scripts out there that silently ARE using undocumented sudo commands
for questionable or unnecessary reasons at best.

* If your best alert system is email then that's what you've got to work
with. You'll have to find the balance between email alerts generated, those
handled by filters, those ignored, and those read. Anyone already using
mail_always today has made that choice.


Who Benefits?

* Most people using mail_always are likely to be adversely affected by
this, probably aren't on these lists, doesn't read the very detailed
Changelogs spanning many releases, won't notice the minor change in wording
buried in the manual page, and won't notice the lack of mail they were
expecting. We have now silenced an event they considered significant enough
to put up with the extra messages or setup automated mail handling. And
they won't know it.

* Those who actively want this are much more likely to look for it via
Google, to be here asking for it, etc. They will probably find the new
option with the new name mail_usually, use it, and be happy.

* Those who wanted it in the past but couldn't solve the incoming mail
issue probably don't use the mail_always feature as a result. If they are
paying close enough attention to notice the change in semantics to a minor
feature then they are probably in the above category (actively/passively
want).

Otherwise, they would theoretically benefit from the change if they started
using mail_always but they're not using mail_always now and are unlikely to
know about it. Ironically, a new name with new semantics is more likely to
get noticed by this group.

* The number of people who are using mail_always now and aren't dealing
with it in their mail system/filters/list of daily manually
ignored-and-deleted are probably those for whom these messages rarely occur
because the options are rarely used. They are unlikely to notice the
missing rare messages and while they might arguably be getting what they
originally would have wanted if it was that way originally. But how much
gain is there if an annoying alarm unknowingly goes away instead of the
root problem going away?


Personally, I don't use the mail features of sudo today but would use it in
the mail_always mode if I had a different network/mail/alert configuration.
I'm mostly worried about those who aren't here.

Thanks,
-Scott R. Corzine-

More information about the sudo-users mailing list