[sudo-users] Why does sudo return success for bad password?

Grant Taylor gtaylor at tnetconsulting.net
Sat Mar 21 01:16:19 MDT 2020

On 3/21/20 1:07 AM, Jeffrey Walton wrote:
> Thanks Grant.

You're welcome.

> Re: the information leak. Probably not. When a bad password is entered 
> the attempt is throttled by the OS. The information leak is already 
> present through timing. So there is no increase in risk for sudo.

I consider that to be an OS (distro?) bug.

Remember, sudo wants to not be the source of the information leak.  It 
can't help it if the OS (distro) leaks the information.

Grant. . . .
unix || die

More information about the sudo-users mailing list