On Fri, 2003-12-05 at 19:03, Christoph Wickert wrote: > Am Fr, den 05.12.2003 schrieb nosp um 18:58: > > On Fri, 2003-12-05 at 17:43, Elton Woo wrote: > > > Logging out should "flush" the root permissions, IMVHO. > > > > I guess the motivation is that if user X successfully becomes root, > > within a specified timeout period user X can become root again. I'm > > sure that if user X became root, logged out, and user Y logged in, they > > would *not* be able to take advantage of user X's cached privileges. > > Seems like a good feature to me -- though I'm sure it can be disabled. > > I knew that this is a pam issue, but I fully agree with Elton: Root > permissions need to be flushed when logging out. Well it's for better minds than me to analyse the security, but I don't see the difference a logout should make. One either thinks caching a user's privilege escalation is good or bad. If it's good, why should whether the user has/had an X session make a difference? What should the behavior be if they have two X sessions and log out of just one?
