[sudo-workers] Feature request: always prompt for password with -S option
Kris Kowal
cowbertvonmoo at gmail.com
Thu Aug 3 20:13:16 EDT 2006
Sudoers,
I presume that the intended purpose of the -S option in sudo is to
avoid opening /dev/tty on systems where it is not available. However,
I find that people commonly use the option to authenticate from a file
or echo in scripts. While this is a security feaux pas, I can think
of situations where it might be acceptable.
There is however a problem with using sudo in this way. After the
first time a script authenticates, following uses of sudo -S will not
be prompted for a password. In most cases this is acceptable, but on
one hand it is a security problem, and on the other makes valid uses
difficult. It is a security problem because in these cases, the user
might pass their password to the underlying sudoed command's input
stream. It is a correctness problem because whether the password is
eaten by sudo or the resultant command is indeterminate.
I recommend that the -S option by default require a password, ignoring
the timestamp of the last use of sudo. Since this would hinder people
using sudo to avoid /dev/tty, it might be desirable to just add an
option that causes sudo to unconditionally require a password.
If there is concensus on the issue, I'll consider participating in the
patch-making process. Please CC me in responses (sometimes automatic
with "reply to all" in your mail client).
Kris Kowal.
More information about the sudo-workers
mailing list