[Bug 802997] [NEW] sudo login cache is retained even after user logs out

StephanBeal 802997 at bugs.launchpad.net
Tue Jun 28 13:50:44 UTC 2011 

Public bug reported:

When running sudo 2x in a short period, the second attempt uses cached
credentials. That's all fine and good, but watch this:

[stephan at cheyenne:~/tmp]$ ssh imat-dev
stephan at infomat-dev:~$ sudo su -
root at infomat-dev:~# 

Summary:

a) i sudo'd to root. i was asked for a password, as expected.
b) i finished my work and logged out from root, then logged off of the remote system.
c) A few moments later i logged in again to the remote system and did 'sudo su -'.
d) i expected to be asked for my password, but the old credentials from my _previous_ login were reused.

IMO the credentials should be invalidated if the user logs out. The
current behaviour is highly questionable. i would rather it not cache at
all than to keep the cache valid after i log out.

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: sudo 1.7.2p7-1ubuntu2.1
ProcVersionSignature: Ubuntu 2.6.35-28.50-generic 2.6.35.11
Uname: Linux 2.6.35-28-generic x86_64
NonfreeKernelModules: fglrx
Architecture: amd64
Date: Tue Jun 28 15:45:13 2011
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
ProcEnviron:
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: sudo

** Affects: sudo (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug maverick

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/802997

Title:
  sudo login cache is retained even after user logs out

Status in “sudo” package in Ubuntu:
  New

Bug description:
  When running sudo 2x in a short period, the second attempt uses cached
  credentials. That's all fine and good, but watch this:

  [stephan at cheyenne:~/tmp]$ ssh imat-dev
  stephan at infomat-dev:~$ sudo su -
  root at infomat-dev:~# 

  Summary:

  a) i sudo'd to root. i was asked for a password, as expected.
  b) i finished my work and logged out from root, then logged off of the remote system.
  c) A few moments later i logged in again to the remote system and did 'sudo su -'.
  d) i expected to be asked for my password, but the old credentials from my _previous_ login were reused.

  IMO the credentials should be invalidated if the user logs out. The
  current behaviour is highly questionable. i would rather it not cache
  at all than to keep the cache valid after i log out.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: sudo 1.7.2p7-1ubuntu2.1
  ProcVersionSignature: Ubuntu 2.6.35-28.50-generic 2.6.35.11
  Uname: Linux 2.6.35-28-generic x86_64
  NonfreeKernelModules: fglrx
  Architecture: amd64
  Date: Tue Jun 28 15:45:13 2011
  InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
  ProcEnviron:
   PATH=(custom, user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: sudo

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/802997/+subscriptions

More information about the foundations-bugs mailing list