Rahul Sundaram wrote: I'd appreciate it if you wouldn't CC me. > On 05/27/2010 12:57 PM, Mike McCarty wrote: >> All programs which prompt for, and receive, passwords in clear >> text form go to extra lengths to make sure that they do NOT >> "remember" passwords in any form >> > > Mike, > > Refer to the notes on password caching at > > http://www.wlug.org.nz/SudoHowto > > The default is 5 minutes of caching. I'm aware of that information. Well, it seems that I was not clear enough in my statement. At the risk of being taken for rude, I'll expound on what the misconception being promulgated here is. I'm not trying to be argumentative, but what's been written here is just wrong, especially since programs like this go to some lengths not to remember passwords. We even go to the length of not making it easy to find encrypted passwords, let alone passwords in clear text, by using shadow. The sudo program does not remember passwords. It remembers epochs when passwords were properly entered. That's what I said in my earlier messages. This makes the third time, I believe. I can say that, because it is the truth. (almost) So, just to be clear, let me be clear, and hopefully not argumentative. Sudo does not cache, or store, passwords. It stores the information that a password was correctly entered and when and for whom. (See below for a clarification on this point.) It does not store or remember the password in any form, AFAIK, and if it sometimes accidentally does, it needs to be changed. An epoch, and a user name, are not a password. Storing an epoch, and a user name, is not storing or remembering a password. Here's how sudo "remembers" that information. It's not stored in a file, as one supposed it must be; it's stored in multiple nested directory entries. $ whoami jmccarty $ ps PID TTY TIME CMD 9239 pts/36 00:00:00 bash 11378 pts/36 00:00:00 ps $ sudo ls -l /var/run/sudo total 20 drwx------ 2 root root 4096 Oct 22 2007 bird drwx------ 2 root root 4096 May 27 02:53 jmccarty drwx------ 2 root root 4096 Aug 27 2008 lfs -rw------- 1 root root 64 Oct 21 2004 _pam_timestamp_key drwx------ 2 root root 4096 Jun 2 2009 root $ sudo ls -l /var/run/sudo/jmccarty total 8 -rw------- 1 root root 0 May 14 12:47 13 -rw------- 1 root root 0 Apr 23 03:23 18 -rw------- 1 root root 0 May 21 16:03 24 -rw------- 1 root root 0 May 26 15:07 33 -rw------- 1 root root 0 May 27 02:55 36 -rw------- 1 root root 0 May 26 15:16 37 Note carefully that the files are ZERO length; these contain no information, only the directory entry is significant, AFAIK. I have, on occasion, seen files which have some information in them, though I do not know what it may be. I should have the source for sudo somewhere, and could go read it to find out. I haven't taken the time so far to investigate that. The file name is the pts from which sudo was run. I just ran sudo, so an entry was made for me, at the time I ran sudo, and indicating that I ran it from pts/36. Nowhere does sudo store or remember a password, period. It stores the information that a password was entered properly, and when, and by whom. Well, not quite, because it really stores the last time it successfully ran on a given pts. A password may not have been entered, since a password entry is not required during the cache period. The entry will be updated, however, extending the cache period. Also, a password is not required for some users, root for example. These users do not, AFAIK, get entries when they run sudo. At least, I've not seen it. The sudo command provides a way to extend the cache period, without entering some useless command, by means of $ sudo -v which simply "validates" that one is a valid sudoer, and updates the cache entry. Using $ sudo -k sets the entry to the current epoch, so that the next use will require the entry of a password (if the user is required to enter one). $ sudo -K removes the entry altogether. I hope that is clear, and unambiguous, and not rude or argumentative. Somehow it seems simpler just to say "sudo does not 'remember' passwords", instead of having to write a tutorial, and I wish that it were possible to do that without getting people challenge that fact before taking any time of their own to investigate how the program works. Mike -- p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} Oppose globalization and One World Governments like the UN. This message made from 100% recycled bits. You have found the bank of Larn. I speak only for myself, and I am unanimous in that! -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
