[sudo-workers] Parsing TTY information before checking user permission reg.

Todd C. Miller Todd.Miller at courtesan.com
Thu Jun 8 07:55:01 MDT 2017


On Thu, 08 Jun 2017 10:19:00 +0530, Vigneswaran R wrote:

> It appears that sudo is parsing the /proc/self/stat before checking 
> whether the user is having permission to run sudo or not. Isn't it 
> better if we do the parsing only after verifying the user permission?
> 
> Or is it done that way for some reasons (such as user verification and 
> the subsequent command execution are tightly coupled)?

The terminal name is part of the information passed to the policy
plugin.  In the case of sudoers, the tty is used to determine whether
the user needs to enter a password and is also used in the log
messages.

Since /proc/self/stat is generated by the kernel is seems reasonable
to trust its contents.  On Linux there was a design decision to
make this human-readable which, unfortunately, makes it more difficult
to parse.  Other systems do not have this problem.

 - todd


More information about the sudo-workers mailing list