[sudo-users] Comparing -k and -K
Todd C. Miller
Todd.Miller at millert.dev
Wed Dec 28 11:02:35 MST 2022
On Wed, 28 Dec 2022 10:31:53 -0700, Grant Taylor via sudo-users wrote:
> I'm now wondering how likely it is that someone / something could
> leverage remaining access.
>
> E.g. Suppose I close an XTerm that I had just used sudo in, walked away
> from, but did not lock my system. -- Could someone open a new XTerm,
> somehow getting the same PTY, and leverage the remaining sudo credential
> timeout?
Each user has their own cached credential file so it is not possible
for a different user to re-use them. However, it is possible,
though not trivial, for the same user to do so.
> I would naively assume that the caching couldn't be subverted that
> easily. I would hope that there is more than just TTY / PTY to identify
> the session. Ideally it should probably include PID and possibly even
> PPID in addition to the TTY / PTY.
Yes, it also uses the session ID. The format is documented in the
sudoers_timestamp manual.
> Can ~> will someone explain the potential vulnerability that flushing
> the terminal's cached time with `-k` closes?
If the same user was to log in via the same terminal and have the
same session ID they could use the old cached credentials. This
would likely require creating enough processes to wrap around the
process ID namespace to get to the desired session ID. I have never
tried to do this, but it should be possible.
- todd
More information about the sudo-users
mailing list