[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: kdesudo
From:       Shaun Reich <predator106 () gmail ! com>
Date:       2009-02-24 1:28:28
Message-ID: 2165e9910902231728q7022f9f9ye2abf2b3f4b93ad1 () mail ! gmail ! com
[Download RAW message or body]

On Mon, Feb 23, 2009 at 5:59 PM, Parker Coates <parker.coates@gmail.com> wrote:
> On Mon, Feb 23, 2009 at 17:22, Thomas Lübking wrote:
>> Am Monday 23 February 2009 schrieb Alex Merry:
>>> On Monday 23 February 2009 05:34:26 John Tapsell wrote:
>>> > A point brought up during the whole .desktop security problem, is
>>> > kdesudo. It only prompts for the password once, and then from then on
>>> > (for next X minutes), doesn't ask for the password again.
>>> >
>>> > So a program that wants to become root only has to wait until kdesudo
>>> > has been run normally, and then can run kdesudo itself, elevating
>>> > itself to root without the user knowing.
>>>
>>> This is a general problem with sudo. Even if we worked around it in
>>> kdesudo, an application could still call sudo directly after such an
>>> event,
>>> unless the sudoers file sets the timeout to 0, as Pau mentioned.
>>
>> isn't sudo somehow shellwise restricted (i.e. if you e.g. sudo from one
>> bash, you cannot sudo from another w/o re-entering the password)
>
> By default yes, but sudo can be configured to save the password across shells.
>
> Really, I don't think this is KDE's problem. sudo works the way it was
> designed to work. KDE shouldn't be trying to adjust that behaviour.
> Its security is largely dependent on its configuration, but that's the
> distro's or the user's call, not KDE's.
>
> Parker
>

Exactly, it's beyond KDE to decide what sudo should be, we shouldn't
try to modify it's intended purpose. Isn't Ubuntu the only distro that
uses sudo? Or am I wrong?

--
Riverenter Vestri,
Shaun Reich

[prev in list] [next in list] [prev in thread] [next in thread]