[sudo-users] Why does sudo return success for bad password?
Jeffrey Walton
noloader at gmail.com
Sat Mar 21 01:07:09 MDT 2020
On Sat, Mar 21, 2020 at 2:57 AM Grant Taylor via sudo-users
<sudo-users at sudo.ws> wrote:
>
> On 3/20/20 10:30 PM, Jeffrey Walton wrote:
>
> > Subject: Why does sudo return success for bad password?
>
> Returning one thing for a good password and something else for a bad
> password can be used as an information leak.
>
> I expect that sudo purposefully returns the same thing for success and exit.
Thanks Grant.
Re: the information leak. Probably not. When a bad password is entered
the attempt is throttled by the OS. The information leak is already
present through timing. So there is no increase in risk for sudo.
Jeff
More information about the sudo-users
mailing list