When performing actions that require authentication, I am not sure who is asking for the password. For eg: When I try to mount a samba drive that requires a password, I am not sure which password is being asked for: $ sudo mount /home/store/oss/ Password: <---- Which password is this? My password (for sudo) or that of samba? It would be helpful if the default /etc/sudoers file had some setting like this: Defaults passprompt="sudo password for [%p] " While this is not a vulerability, having a better message can help people from guessing which password is being asked. (The flip side is if a malicious program prints out a similar message but that problem exists even with the default prompt). Reproducible: Always Steps to Reproduce: 1. sudo -k 2. sudo ls Actual Results: Password: Expected Results: sudo password for [anomalizer]
Like you said, this is not a vulnerability, so reassigning to sudo maintainer.
Created attachment 170128 [details, diff] Patch for /usr/portage/app-admin/sudo/files/sudoers
Comment on attachment 170128 [details, diff] Patch for /usr/portage/app-admin/sudo/files/sudoers *** /usr/portage/app-admin/sudo/files/sudoers Thu Nov 16 03:05:25 2006 --- sudoers.1 Tue Oct 28 22:40:17 2008 *************** Defaults env_reset *** 28,33 **** --- 28,36 ---- # Set default EDITOR to vi, and do not allow visudo to use EDITOR/VISUAL. # Defaults editor=/usr/bin/vim, !env_editor + # Set a verbose prompt + Defaults passprompt="sudo password for [%p] " + # Runas alias specification # *** REMEMBER ***************************************************
Hrm, I'd move this upstream for them to provide a default prompt different from Password: but I'm not sure if this would work with PAM, I'll have to test it.
(In reply to comment #4) FWIW: I have a PAM based sudo and it does work for me. This could be a gentoo "convience" until upstream figures if it really wants to change this default.
I'm sorry but I don't really see much of the point as it is, please report this upstream.