From: John Shahid <jvshahid@gmail.com>
To: Michael Albinus <michael.albinus@gmx.de>
Cc: "Eli Zaretskii" <eliz@gnu.org>,
"Paul Eggert" <eggert@cs.ucla.edu>,
emacs-devel <emacs-devel@gnu.org>,
"João Távora" <joaotavora@gmail.com>,
"Stefan Monnier" <monnier@iro.umontreal.ca>
Subject: Re: sudo:: method in tramp possible security issue
Date: Wed, 21 Nov 2018 09:55:27 -0500 [thread overview]
Message-ID: <8736ruo4yo.fsf@gmail.com> (raw)
In-Reply-To: <87y39mo53r.fsf@gmx.de>
Michael Albinus <michael.albinus@gmx.de> writes:
> John Shahid <jvshahid@gmail.com> writes:
>
> Hi John,
>
>> Is there a reason for doing a manual expiration instead of relying on
>> the default sudo behavior. If tramp start a new sudo shell for example
>> to get file attributes, then sudo can take care of caching the password
>> or asking for it after the configured timeout. That would consolidate
>> the configuration in one place (i.e. /etc/sudoers for the timeout) as
>> well as let users manage the cache (e.g. sudo -k when the user logs out)
>> the same way they do today.
>
> The point is that Tramp (until now) keeps a session open forever. Tramp
> doesn't "start a new sudo shell for example to get file attributes".
> Therefore, there's no chance that sudo could ask for a password,
> again. That's why the new mechanism interrupts the session after the
> session timeout, and opening a new one depends on sudo's mechanism for
> cached passwords.
That was the essence of my question. What is stopping us from starting
a new session as needed instead of keeping one around forever ?
next prev parent reply other threads:[~2018-11-21 14:55 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CALDnm52oYOV_kPWZH62ub8seM4uug-GH68ywgXGJfDAbG7_4Xg@mail.gmail.com>
[not found] ` <87ftvwdcdw.fsf@gmx.de>
[not found] ` <CALDnm51fhzD48-40-t04KU9S19Lz8_sf8Y=pKZbnSHR+tbCgTQ@mail.gmail.com>
[not found] ` <87bm6kdb68.fsf@gmx.de>
[not found] ` <CALDnm53tX4vFz4CH=P27_dUt=9dXWMrE7xdTz3iZuqybsndygg@mail.gmail.com>
[not found] ` <jwvmuq4zqsz.fsf-monnier+emacs@gnu.org>
[not found] ` <CALDnm52moQthtMvSEw2ELWjZg3yJ8jypG=TBLgSsdr6R8ru0Aw@mail.gmail.com>
[not found] ` <87bm6kyxc3.fsf@gmx.de>
[not found] ` <CALDnm5211UDT_pW-HzgnRb5dQtnCZSgN+GRGHYM1hPVAjBWavA@mail.gmail.com>
[not found] ` <87k1l83yd3.fsf@gmx.de>
[not found] ` <CALDnm52KU0wNd3Sd-7m78JrPcLsiNuZ8hQxcTs3PgDNG7+0a0g@mail.gmail.com>
[not found] ` <87o9ajvost.fsf@gmx.de>
2018-11-20 14:13 ` sudo:: method in tramp possible security issue João Távora
2018-11-20 21:14 ` Paul Eggert
2018-11-20 21:18 ` Stefan Monnier
2018-11-20 21:25 ` Paul Eggert
2018-11-20 21:44 ` Stefan Monnier
2018-11-20 22:06 ` Michael Albinus
2018-11-20 22:27 ` João Távora
2018-11-20 23:12 ` Stefan Monnier
2018-11-21 7:41 ` Michael Albinus
2018-11-21 12:26 ` Michael Albinus
2018-11-21 12:44 ` Filipp Gunbin
2018-11-21 12:51 ` Michael Albinus
2018-11-21 14:44 ` John Shahid
2018-11-21 14:52 ` Michael Albinus
2018-11-21 14:55 ` John Shahid [this message]
2018-11-21 15:07 ` Michael Albinus
2018-11-20 22:16 ` Michael Albinus
2018-11-20 22:30 ` Michael Albinus
2018-11-20 22:54 ` João Távora
2018-11-21 7:49 ` Michael Albinus
[not found] ` <87ftvwyxh7.fsf@gmx.de>
2018-12-16 15:24 ` Tramp sudoedit method (was: sudo:: method in tramp possible security issue) Michael Albinus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8736ruo4yo.fsf@gmail.com \
--to=jvshahid@gmail.com \
--cc=eggert@cs.ucla.edu \
--cc=eliz@gnu.org \
--cc=emacs-devel@gnu.org \
--cc=joaotavora@gmail.com \
--cc=michael.albinus@gmx.de \
--cc=monnier@iro.umontreal.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).