[sudo-workers] Question/Suggestion about not automatically forwarding sudo permissions to scripts.

Todd C. Miller Todd.Miller at courtesan.com
Mon Jul 31 15:44:03 MDT 2017


On Mon, 31 Jul 2017 16:00:48 +0200, Matthias Aechtner wrote:

> When I execute a script without `sudo`, then I do not want the script to
> have any root privileges. However, when the script itself contains lines
> starting with `sudo`, these commands will be executed with root
> privileges without asking for password.
> 
> I am wondering if it would be possible to allow `sudo` commands to
> execute without reentering the password only in the current interactive
> shell, but not to forward the permission to run with `sudo` into scripts
> that are executed.

By default, sudo will allow additional commands to be run from the
same terminal for five minutes.  When a terminal is not available,
it uses the parent process ID instead (typically the shell's process
ID).  This is not currently exposed as a configurable option but
it could be without much effort.  I think that would make sudo
behave the way you want.

> In my case I downloaded a script from the internet and I was willing to
> risk running it unseen with user privileges on my computer, and was
> shocked when I saw the script executing with root privileges (even so I
> ran it without `sudo`, just because I had run `sudo` in the same session
> before). IMHO this behavior exposes a security risk that should, if
> possible, eliminated in future versions of `sudo`.

I'm sorry but running an arbitrary script from the internet is the
real security issue here.  Even if sudo wasn't able to run without
a password, the script would still have access to your terminal and
any files writable by your user ID.  A nefarious program would be
capable of stealing passwords or trojaning your shell startup files.

That said, I'm not opposed to adding a sudoers option to use the
parent pid instad of the tty name to differentiate between timestamp
records.  I've written a proof of concept diff that appears to
work as expected.

 - todd


More information about the sudo-workers mailing list