[sudo-users] Why does sudo return success for bad password?

[Grant Taylor]

On 3/21/20 1:07 AM, Jeffrey Walton wrote:
> Thanks Grant.

You're welcome.

> Re: the information leak. Probably not. When a bad password is entered 
> the attempt is throttled by the OS. The information leak is already 
> present through timing. So there is no increase in risk for sudo.

I consider that to be an OS (distro?) bug.

Remember, sudo wants to not be the source of the information leak.  It 
can't help it if the OS (distro) leaks the information.



-- 
Grant. . . .
unix || die