Re: root password prompts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Rahul Sundaram wrote:

I'd appreciate it if you wouldn't CC me.

> On 05/27/2010 12:57 PM, Mike McCarty wrote:
>> All programs which prompt for, and receive, passwords in clear
>> text form go to extra lengths to make sure that they do NOT
>> "remember" passwords in any form
>>   
> 
> Mike, 
> 
> Refer to the notes on password caching at
> 
> http://www.wlug.org.nz/SudoHowto
> 
> The default is 5 minutes of caching.

I'm aware of that information.

Well, it seems that I was not clear enough in my statement.

At the risk of being taken for rude, I'll expound on what
the misconception being promulgated here is. I'm not trying
to be argumentative, but what's been written here is just wrong,
especially since programs like this go to some lengths not
to remember passwords. We even go to the length of not making
it easy to find encrypted passwords, let alone passwords
in clear text, by using shadow.

The sudo program does not remember passwords. It remembers
epochs when passwords were properly entered. That's what I
said in my earlier messages. This makes the third time,
I believe. I can say that, because it is the truth. (almost)

So, just to be clear, let me be clear, and hopefully not
argumentative.

Sudo does not cache, or store, passwords. It stores the information
that a password was correctly entered and when and for whom.
(See below for a clarification on this point.)
It does not store or remember the password in any form, AFAIK,
and if it sometimes accidentally does, it needs to be changed.

An epoch, and a user name, are not a password.

Storing an epoch, and a user name, is not storing or remembering
a password.

Here's how sudo "remembers" that information. It's not stored
in a file, as one supposed it must be; it's stored in multiple
nested directory entries.

$ whoami
jmccarty

$ ps
   PID TTY          TIME CMD
  9239 pts/36   00:00:00 bash
11378 pts/36   00:00:00 ps

$ sudo ls -l /var/run/sudo
total 20
drwx------  2 root root 4096 Oct 22  2007 bird
drwx------  2 root root 4096 May 27 02:53 jmccarty
drwx------  2 root root 4096 Aug 27  2008 lfs
-rw-------  1 root root   64 Oct 21  2004 _pam_timestamp_key
drwx------  2 root root 4096 Jun  2  2009 root

$ sudo ls -l /var/run/sudo/jmccarty
total 8
-rw-------  1 root root  0 May 14 12:47 13
-rw-------  1 root root  0 Apr 23 03:23 18
-rw-------  1 root root  0 May 21 16:03 24
-rw-------  1 root root  0 May 26 15:07 33
-rw-------  1 root root  0 May 27 02:55 36
-rw-------  1 root root  0 May 26 15:16 37

Note carefully that the files are ZERO length; these
contain no information, only the directory entry
is significant, AFAIK. I have, on occasion, seen files
which have some information in them, though I do not
know what it may be. I should have the source for sudo somewhere,
and could go read it to find out. I haven't taken the time
so far to investigate that.

The file name is the pts from which sudo was run. I just ran
sudo, so an entry was made for me, at the time I ran sudo,
and indicating that I ran it from pts/36.

Nowhere does sudo store or remember a password, period.
It stores the information that a password was entered
properly, and when, and by whom. Well, not quite, because
it really stores the last time it successfully ran on a
given pts. A password may not have been entered, since
a password entry is not required during the cache period.
The entry will be updated, however, extending the cache
period. Also, a password is not required for some users,
root for example. These users do not, AFAIK, get entries
when they run sudo. At least, I've not seen it.

The sudo command provides a way to extend the cache period,
without entering some useless command, by means of

$ sudo -v

which simply "validates" that one is a valid sudoer, and
updates the cache entry. Using

$ sudo -k

sets the entry to the current epoch, so that the next use
will require the entry of a password (if the user is
required to enter one).

$ sudo -K

removes the entry altogether.

I hope that is clear, and unambiguous, and not rude
or argumentative.

Somehow it seems simpler just to say "sudo does not 'remember'
passwords", instead of having to write a tutorial, and
I wish that it were possible to do that without getting people
challenge that fact before taking any time of their own to
investigate how the program works.

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux