1

The sudo command remembers for a while that I entered my password, so that I don't need to re-enter it every time. I know that I can delete this "session" using sudo -k.

Now, if I was logged in via ssh, used sudo, and then logged out without running sudo -k. Could someone who gained access to my account before the sudo password re-entry timeout somehow use sudo without entering a password? I know it doesn't work when you just open a new ssh session, presumably because it uses a different pseudo-terminal, but there might be a different way.

And if it is possible, what can I do against it?

Improve this question

3 Answers 3

Reset to default
4

In general, yes, a sudo session can be reused if you log out and someone else logs in as you on the same terminal. As you found in the documentation, sudo detects and rejects this sometimes, but not always.

If someone logs in as you, then the game is pretty much lost. They can plant a backdoor on your account and, in the worst case for the attacker, snipe your password and piggyback on your sudo access the next time you use sudo. So the answer to “what can I do against it?” is “nothing”, and more importantly the answer to “what should I do against it?” is “nothing”. It doesn't make any threat worse.

Improve this answer
1
  • I think setting Defaults timestamp_timeout=0 could reduce the exposure -- if only to an unattended open session where the attacker does not know your password. If they can log in as you, game over. Commented Nov 28, 2016 at 4:10
3

At least on Linux and OS X systems, cached timestamps will not survive logging out.

The answer is in man sudoers, not in man sudo, which is why I didn't find it at first:

Since time stamp files live in the file system, they can outlive a user's login session. As a result, a user may be able to login, run a command with sudo after authenticating, logout, login again, and run sudo without authenticating so long as the time stamp file's modification time is within 5 minutes (or whatever the timeout is set to in sudoers). When the tty_tickets option is enabled, the time stamp has per-tty granularity but still may outlive the user's session. On Linux systems where the devpts filesystem is used, Solaris systems with the devices filesystem, as well as other systems that utilize a devfs filesystem that monotonically increase the inode number of devices as they are created (such as Mac OS X), sudoers is able to determine when a tty-based time stamp file is stale and will ignore it. Administrators should not rely on this feature as it is not universally available.

Improve this answer
0

sudo remembers the password per terminal session. If you logged out (either because you logged out yourself or your session has terminated for some reason) there is no problem.

The only problem could be a screen session where you used sudo in.

But if you are afraid of any issues, you can simply configure sudo not to cache the password.

Improve this answer
1
  • 1
    But how does it discern different terminal sessions reliably? By pty? By PID? What if the PTY or PID are reused? Is there any reference about this? Commented Nov 24, 2016 at 13:47

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.