Saturday, June 5, 2010

Password caching during desktop startup

The first time your desktop startup shows you a message like this: can, maybe have you wondering about, how secure your desktop really is.

The message 'Granted permissions without asking for password' is not too serious when the explanation is read in full, but it does grab your attention :)

What is happening is that an authentication password you have entered has been cached, and is now being reused.

The output above shows an example of what is happening in the background. It shows gksudo being called with the message "Wicd needs to access your computer's network cards", but instead of showing you the message, your system is taking advantage of a cached sudo password ( -p GNOME_SUDO_PASS )

This is designed to add some convenience to your desktop, but does not suit everyone.

Now some might shout 'security risk' or 'insecure desktop', but as with most things Linux, it can always be changed to suit individual needs (see next section)

timestamp_timeout of /etc/sudoers:

If you feel the sudo password caching is too much for your taste then
you can enter your own preference in the file /etc/sudoers

Setting timestamp_timeout=1 will ensure passwords are only cached for a minute.

The screenshot above does not show me actually making the change, but rather I provide examples of how the relevant line in /etc/sudoers should appear.

The first line beginning Defaults, is how thing are right now. Sudo is using the default caching time (15 minutes or 5 minutes according to various forum postings )

The last line shows how the line in /etc/sudoers should look in order to have 1 minute caching.

The guide here shows you how to use sudo -K to empty out a cached password
( helpful if you are about to walk away from a shared desktop machine )

There are several guides to walk you through the editing of /etc/sudoers, they tend to be editor specific and here is one for vi fans.

Although the command itself is named visudo, you can use update-alternatives command to have emacs editing as follows:

update-alternatives --config editor

( pick the number corresponding to emacs, and you have emacs editing of sudoers next time you run visudo )

No comments: