[sudo-users] A 'timestamp_type' attached to the X session?
Christophe Lohr
christophe.lohr at cegetel.net
Fri Aug 11 03:40:14 MDT 2023
Le 10/08/2023 à 19:18, Todd C. Miller a écrit :
>> I would have been interested in sudo sharing its authentication as
>> part of the user's X session.
>> In concrete terms, when I run sudo in one terminal or another of my X
>> session (and respecting the timestamp timeout), the password is only
>> requested once.
>> Well, something between the "tty" type and the "global" type...
>>
>> Placing the timestamp in an X11 property may not be very secure.
>> But there may be other, more effective solutions.
>> Have there been any discussions on the subject in the past?
> I don't think anyone has requested this before. I suppose one way
> to do thing would be to store a random cookie in both the timestamp
> file and in an X11 property.
>
> However, nothing would prevent the user or X11 app from reading or
> modifying that property. That means they cookie could potentially
> be copied to a different X11 session and sudo would accept it.
> Restricting this to a specific DISPLAY might help somewhat but would
> not prevent re-use of the cookie when the user logs out and in
> again. I'm not sure how this can be achieved securely.
And by delegating this task to a helper?
(in a similar way to ssh-agent)
Regards
Christophe
More information about the sudo-users
mailing list