[sudo-workers] Parsing TTY information before checking user permission reg.
vignesh at atc.tcs.com
Thu Jun 8 23:48:43 MDT 2017
On 06/08/2017 07:25 PM, Todd C. Miller wrote:
> On Thu, 08 Jun 2017 10:19:00 +0530, Vigneswaran R wrote:
>> It appears that sudo is parsing the /proc/self/stat before checking
>> whether the user is having permission to run sudo or not. Isn't it
>> better if we do the parsing only after verifying the user permission?
>> Or is it done that way for some reasons (such as user verification and
>> the subsequent command execution are tightly coupled)?
> The terminal name is part of the information passed to the policy
> plugin. In the case of sudoers, the tty is used to determine whether
> the user needs to enter a password and is also used in the log
> Since /proc/self/stat is generated by the kernel is seems reasonable
> to trust its contents. On Linux there was a design decision to
> make this human-readable which, unfortunately, makes it more difficult
> to parse. Other systems do not have this problem.
Ok. Thanks for the clarification.
More information about the sudo-workers