Bug 339

Summary: Expiration Date for Sudo Rules
Product: Sudo Reporter: John Bambenek <bambenek.infosec>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: enhancement CC: jcb.blog, maniac-sudo
Priority: normal    
Version: 1.7.0   
Hardware: PC   
OS: Other   

Description John Bambenek 2009-02-28 09:49:41 MST 
> I was wondering what the possibility of introducing a "drink by" date to
> a specific sudo rule is...
>
> For instance...
>
> root ALL=(ALL) ALL YYYYmmddhhmm
>
> And the functioning would basically check to see if the time is less
> than or equal to the timestamp given in the sudo file before giving
> access. It would be pretty useful in some enterprise settings I would
> imagine.
Comment 1 Mark Janssen 2010-03-30 04:12:45 MDT 
As long as you also build this support for LDAP-based rules

Something like this:

objectClass: sudoRole
cn: temp-something
sudoCommand: /bin/cat
sudoOption: noexec
sudoUser: joe
sudoHost: foo
sudoExpire: YYYYMMDDHHMM
Comment 2 Todd C. Miller 2011-01-28 16:59:21 MST 
Beginning with sudo 1.7.5 the LDAP-based rules support sudoNotBefore and sudoNotAfter attributes.  This is not currently available for files-based sudoers.
Comment 3 John Bambenek 2012-06-02 00:25:39 MDT 
Is it possible to get rule expiration for files-based sudo rules similar to what is available for LDAP?
Comment 4 Todd C. Miller 2017-05-13 13:48:34 MDT 
Sudo 1.8.20 supports "not before" and "not after" settings for file-based sudoers.