#6319 NORM Never A: sudo and su don't ask for password

Wed Mar 26 21:21:08 EDT 2008

#6319: sudo and su don't ask for password
---------------------+------------------------------------------------------
  Reporter:  mikus   |       Owner:  jg                               
      Type:  defect  |      Status:  reopened                         
  Priority:  normal  |   Milestone:  Never Assigned                   
 Component:  distro  |     Version:  Development build as of this date
Resolution:          |    Keywords:                                   
  Verified:  0       |    Blocking:                                   
 Blockedby:          |  
---------------------+------------------------------------------------------
Changes (by mikus):

  * status:  closed => reopened
  * resolution:  duplicate =>

Comment:

 I'm going to reopen this -- it is getting to be the end of March 2008, and
 both the latest Update.1 and the latest Joyride STILL exhibit the behavior
 ("not asking for a password") which caused me to write this ticket.

 [Ticket #5537 deals primarily with how a _vanilla_ (newly installed) build
 should behave.  I wrote ticket #6319 to document the behavior of a
 _licorice_ build - that is, a build in which I have set a specific
 password for user 'root', and have set another specific password for user
 'olpc'.  I *will* be setting a root password in my system, even if I have
 to use a binary editor to modify the nand contents in my XO.]

 ----

 The defect I am identifying is that although I have specified a password
 for 'root', when I enter the command 'su' as user 'olpc' (from the command
 line in a Terminal-activity session), I am not being asked for the (root)
 password before that Terminal session goes into root.

 As far as I am concerned, let ticket #5537 resolve what should happen when
 the command 'su' is entered, and user 'root' does NOT have a password
 assigned.

 But my reason *for* setting a password for 'root' is so that I can
 temporarily lend my XO to someone, without me having to worry (unless he
 has learned the password) whether he might enter 'rm -rf /'.

 Note that I do *not* want anyone who sits down at my XO to be able to type
 in 'sudo' -- I've removed that specific command file from my XO.

 ----

 I don't much care how #5537 implements 'sudo'.  But I believe it *is* a
 significant exposure if 'sudo' does not ask for verification, when
 passwords __have been__ specified both for the "executing" user (e.g., for
 'olpc'), and for the "target" user (e.g., for 'root').

-- 
Ticket URL: <http://dev.laptop.org/ticket/6319#comment:5>
One Laptop Per Child <http://laptop.org/>
OLPC bug tracking system