[sudo-workers] Question/Suggestion about not automatically forwarding sudo permissions to scripts.
Todd C. Miller
Todd.Miller at courtesan.com
Mon Jul 31 15:44:03 MDT 2017
On Mon, 31 Jul 2017 16:00:48 +0200, Matthias Aechtner wrote:
> When I execute a script without `sudo`, then I do not want the script to
> have any root privileges. However, when the script itself contains lines
> starting with `sudo`, these commands will be executed with root
> privileges without asking for password.
>
> I am wondering if it would be possible to allow `sudo` commands to
> execute without reentering the password only in the current interactive
> shell, but not to forward the permission to run with `sudo` into scripts
> that are executed.
By default, sudo will allow additional commands to be run from the
same terminal for five minutes. When a terminal is not available,
it uses the parent process ID instead (typically the shell's process
ID). This is not currently exposed as a configurable option but
it could be without much effort. I think that would make sudo
behave the way you want.
> In my case I downloaded a script from the internet and I was willing to
> risk running it unseen with user privileges on my computer, and was
> shocked when I saw the script executing with root privileges (even so I
> ran it without `sudo`, just because I had run `sudo` in the same session
> before). IMHO this behavior exposes a security risk that should, if
> possible, eliminated in future versions of `sudo`.
I'm sorry but running an arbitrary script from the internet is the
real security issue here. Even if sudo wasn't able to run without
a password, the script would still have access to your terminal and
any files writable by your user ID. A nefarious program would be
capable of stealing passwords or trojaning your shell startup files.
That said, I'm not opposed to adding a sudoers option to use the
parent pid instad of the tty name to differentiate between timestamp
records. I've written a proof of concept diff that appears to
work as expected.
- todd
More information about the sudo-workers
mailing list