On Fri, Jul 3, 2020 at 10:09 PM Samuel Sieb <samuel(a)sieb.net> wrote:
On 7/3/20 12:53 PM, ToddAndMargo via users wrote:
> Oh of interest, Xfce Pol kit has a YUGE security hole that I
> reported a while back that has yet to be addressed:
>
> xfce pol kit lets others sneak in
>
https://github.com/ncopa/xfce-polkit/issues/5
That's not a huge security hole and it doesn't let others sneak in
unless they have access to your user for some reason.
+1
There's a hard-coded 5-minute timeout in polkit. (sudoers has a
"timestamp_timeout" option.)
That's also standard behaviour for sudo.
By default, sudo uses one timestamp per tty and allows you to run sudo
without authentication for 5 minutes on the same tty. You have to
change "timestamp_type" in sudoers to be able to use sudo on multiple
ttys with one authentication.