[sudo-workers] Question/Suggestion about not automatically forwarding sudo permissions to scripts.

[Matthias Aechtner]

Hi everyone,

After executing `sudo` and entering the user password the following
`sudo` commands do not require retyping the password. That seems
reasonable and useful to me.

When I execute a script without `sudo`, then I do not want the script to
have any root privileges. However, when the script itself contains lines
starting with `sudo`, these commands will be executed with root
privileges without asking for password.

I am wondering if it would be possible to allow `sudo` commands to
execute without reentering the password only in the current interactive
shell, but not to forward the permission to run with `sudo` into scripts
that are executed.

In my case I downloaded a script from the internet and I was willing to
risk running it unseen with user privileges on my computer, and was
shocked when I saw the script executing with root privileges (even so I
ran it without `sudo`, just because I had run `sudo` in the same session
before). IMHO this behavior exposes a security risk that should, if
possible, eliminated in future versions of `sudo`.

What do you think about it?

This mailing list was the best medium that I was able to find for bring
up this suggestion; I apologize in case I should have addressed myself
to somewhere else instead (where?).

Cheers,

Matthias




On 31.07.2017 12:19, sudo-workers-request at sudo.ws wrote:
> Welcome to the sudo-workers at sudo.ws mailing list!
>
> To post to this list, send your message to:
>
>   sudo-workers at sudo.ws
>
> General information about the mailing list is at:
>
>   https://www.sudo.ws/mailman/listinfo/sudo-workers
>
> If you ever want to unsubscribe or change your options (eg, switch to
> or from digest mode, change your password, etc.), visit your
> subscription page at:
>
>   https://www.sudo.ws/mailman/options/sudo-workers/matthias%40aechtners.de
>
>
> You can also make such adjustments via email by sending a message to:
>
>   sudo-workers-request at sudo.ws
>
> with the word `help' in the subject or body (don't include the
> quotes), and you will get back a message with instructions.
>
> You must know your password to change your options (including changing
> the password, itself) or to unsubscribe without confirmation.  It is:
>
>   wuubuvaw
>
> Normally, Mailman will remind you of your sudo.ws mailing list
> passwords once every month, although you can disable this if you
> prefer.  This reminder will also include instructions on how to
> unsubscribe or change your account options.  There is also a button on
> your options page that will email your current password to you.