[sudo-users] A 'timestamp_type' attached to the X session?
Todd C. Miller
Todd.Miller at sudo.ws
Thu Aug 10 11:18:03 MDT 2023
On Tue, 08 Aug 2023 10:32:13 +0200, Christophe Lohr wrote:
> I would have been interested in sudo sharing its authentication as
> part of the user's X session.
> In concrete terms, when I run sudo in one terminal or another of my X
> session (and respecting the timestamp timeout), the password is only
> requested once.
> Well, something between the "tty" type and the "global" type...
>
> Placing the timestamp in an X11 property may not be very secure.
> But there may be other, more effective solutions.
> Have there been any discussions on the subject in the past?
I don't think anyone has requested this before. I suppose one way
to do thing would be to store a random cookie in both the timestamp
file and in an X11 property.
However, nothing would prevent the user or X11 app from reading or
modifying that property. That means they cookie could potentially
be copied to a different X11 session and sudo would accept it.
Restricting this to a specific DISPLAY might help somewhat but would
not prevent re-use of the cookie when the user logs out and in
again. I'm not sure how this can be achieved securely.
- todd
More information about the sudo-users
mailing list