update-manager has root privileges after sudo was used
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sudo (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: sudo
I've just noticed something unexpected about sudo.
If I use sudo to run a program, I'm asked for my password. (Normal.) If later I run another program using sudo in the same terminal, I'm not asked again for the password, unless a certain delay has passed. (Normal.) Today, I happened to do that (see commands below), and then I ran update-manager, _without_ sudo. I noticed that update-manager _didn't_ ask for a password, and in fact went on and installed the updates right away. (Strange?)
Unless some recent updates gave update-manager the ability to install things without root privileges, there may be some bug in how sudo works. I suspect update-manager runs sudo to do the installing, and sudo thinks it's the user that did it. This is a security problem, since an unsuspecting user might run (without sudo) a malicious program, which can then get access to elevated privileges.
bogdanb@arioch:~$ sudo gedit /etc/apt/
[sudo] password for bogdanb:
bogdanb@arioch:~$ sudo aptitude update
Get:1 http://
Ign http://
[snipped lots of messages]
Get:32 http://
Fetched 382kB in 5s (76.2kB/s)
Reading package lists... Done
bogdanb@arioch:~$ update-manager
[after this I pressed install, and it worked without asking for a password]
Thanks for taking the time to report this bug.
This behaviour is by design, sudo doesn't time out for a few minutes. If you want to change this behaviour see http:// ubuntuforums. org/showthread. php?p=116697