Aaron Griffin schrieb:
On Thu, Jul 9, 2009 at 1:55 PM, Square<toolma...@gmail.com> wrote:I noticed this in my typical routine when installing AUR packages. 'makepkg -sic' is the typical command I use, and most of the time if dependencies are installed before building sudo doesn't time out before the install - meaning I do not have to re-enter a password for installing the package itself. This leaves a window where any time during the build process a command could have been executed with sudo and it would have went through without my knowledge.I do realize that it should be up to the user to validate all of the content, i.e. make sure everything is 'clean', but I thought I might bring it up for discussion.This is up to you to control. You can change the timeout in /etc/sudoers by using the "password_timeout" (or is it "passwd_timeout"?) option.
I agree. The question is not about makepkg security, but about sudo security. And frankly, sudo is a security desaster in its default configuration.
signature.asc
Description: OpenPGP digital signature
