On Wed, Mar 3, 2010 at 9:06 AM, Mauro Santos <registo.mailling@xxxxxxxxx> wrote: >> Yes, same answer, you get owned. In fact, even with a password >> required, the "5 minute grace window" for sudo does you in - some bad >> guy just keeps trying to sudo, until you do it legitimately, thereby >> allowing it freely for 5 minutes, and then he's got root. > > Isn't it possible to lock that to specific consoles with > "Defaults tty_tickets" in /etc/sudoers ? I guess that with the 5 min. > grace window will give a good balance between annoyance and security. That's a nice feature, but there's still a hole in it. Consider the case where you run sudo, close the window, and within the next 5 minutes something else allocates a PTY. It's likely to get the one you just closed, with your ticket still good for it.
