> On 17 Jul 2015, at 16:18, Bob Beck wrote:
>
> I concur. Vadim I like the basic idea, but I do not like that in the
> bogus case we still run all the priviledged user auth code.
sudo also has the -l flag, which lists what commands you're allowed to run.
however, it looks like if you arent al
I concur. Vadim I like the basic idea, but I do not like that in the
bogus case we still run all the priviledged user auth code.
On Thu, Jul 16, 2015 at 4:30 PM, Ted Unangst wrote:
> Vadim Zhukov wrote:
>> Ask for a password when we're going to fail() anyway, to avoid
>> leaking information abo
Vadim Zhukov wrote:
> Ask for a password when we're going to fail() anyway, to avoid
> leaking information about available commands. The sudo(8) behaves
> the same way, FWIW.
Let's say no for now. I'm not too concerned about this leak. I'm not sure what
a user would hope to discover. Hasn't the sy
Vadim Zhukov wrote:
> Ask for a password when we're going to fail() anyway, to avoid
> leaking information about available commands. The sudo(8) behaves
> the same way, FWIW.
>
> okay?
i need to think about this for a bit. there's a strange interaction where if
the nopasswd option is used, you've
Ask for a password when we're going to fail() anyway, to avoid
leaking information about available commands. The sudo(8) behaves
the same way, FWIW.
okay?
--
WBR,
Vadim Zhukov
Index: doas.c
===
RCS file: /cvs/src/usr.bin/doas/doa