[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: kdesudo
From:       Alex Merry <kde () randomguy3 ! me ! uk>
Date:       2009-02-23 19:06:41
Message-ID: 200902231906.42210.kde () randomguy3 ! me ! uk
[Download RAW message or body]


On Monday 23 February 2009 05:34:26 John Tapsell wrote:
> A point brought up during the whole .desktop security problem, is
> kdesudo.  It only prompts for the password once, and then from then on
> (for next X minutes), doesn't ask for the password again.
>
> So a program that wants to become root only has to wait until kdesudo
> has been run normally, and then can run kdesudo itself, elevating
> itself to root without the user knowing.

This is a general problem with sudo.  Even if we worked around it in kdesudo, 
an application could still call sudo directly after such an event, unless the 
sudoers file sets the timeout to 0, as Pau mentioned.

Alex


-- 
Why have I got six monitors?  Because I haven't got room for eight.
  -- Terry Pratchett


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]