Re: sudo:: method in tramp possible security issue

[Michael Albinus]

João Távora <address@hidden> writes:

>     Tramp's sudo method needs your credentials. If you don't provide
>     them, Tramp cannot do anything.
>
>     Like calling sudo in a terminal.
>
> It's not exactly like calling sudo in a terminal, because when you
> use sudo you generally:
>
> 1. perform a one time action and are back at a non-sudo prompt; OR
> 2. start an interactive superuser session that easy to identify
> visually 
>    and for which there isn't a programmatic way for other programs 
>    to interfere
>
> In other words, what bothers me the most about the sudo:: method is 
> the persistent sudo session that makes me vulnerable to attackers, and
> to my elisp developing mistakes.  This is why I think a warning makes 
> sense, or some visual way to identify this vulnerable state.

There is already a "visual way to identify this state". It is called
tramp-theme, a GNU ELPA package.

This is documented in the Tramp manual, see (info "(tramp) Frequently Asked 
Questions")
Again, nobody reads the manual :-(

The command `tramp-cleanup-connection' closes any background session for
a Tramp connection, including removing cached passwords. Maybe we shall
call this for sudo/su methods automatically after a given timeout, like
the password expiration for sudo in a terminal. 5 minutes seem to be a
sensible value to me.

> João

Best regards, Michael.