Bug 819

Summary: Doesn't always respect the timeout setting
Product: Sudo Reporter: yuri
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED INVALID    
Severity: normal    
Priority: low    
Version: 1.8.20   
Hardware: PC   
OS: FreeBSD   
Attachments: log

Description yuri 2018-01-06 21:44:50 MST 
I've added the line in 'visudo' in order to extend the timeout to 4 hours:
> Defaults        env_reset,timestamp_timeout=240

It does normally work, however, sometimes it asks the password again very much sooner.

I guess that it doesn't always honor timestamp_timeout=240. It does work most of the time, but sometimes it loses the time somehow and asks again.

sudo-1.8.20p2_3 on FreeBSD 11.1
Comment 1 Todd C. Miller 2018-01-07 10:01:45 MST 
I will try to reproduce this.  In the meantime, can you update your sudo to the latest FreeBSD package, which is 1.8.21p2?
Comment 2 Todd C. Miller 2018-01-07 10:04:41 MST 
Also, a line like the following in /usr/local/etc/sudo.conf (assuming the FreeBSD package) may help in debugging this.

Debug sudoers.so /var/log/sudoers_debug auth@debug
Comment 3 yuri 2018-01-07 13:26:39 MST 
(In reply to Todd C. Miller from comment #1)
> I will try to reproduce this.  In the meantime, can you update your
> sudo to the latest FreeBSD package, which is 1.8.21p2?

Already, thanks.


(In reply to Todd C. Miller from comment #2)
> Also, a line like the following in /usr/local/etc/sudo.conf
> (assuming the FreeBSD package) may help in debugging this.
> 
> Debug sudoers.so /var/log/sudoers_debug auth@debug

Done, thanks!
Comment 4 yuri 2018-01-08 02:55:39 MST 
Version 1.8.21p2_1 also has this problem.
The log shows how at 01:27:24 I entered the password, yet at 01:49:58 it asks for password again.

Attaching the log. I can't really read it myself.
Comment 5 yuri 2018-01-08 03:00:01 MST 
Created attachment 504 [details]
log
Comment 6 Todd C. Miller 2018-01-08 05:33:18 MST 
That log shows that a password is being required only for new time stamp records which should mean you are running the command either from a different tty or the authorization user is different (the rootpw, runaspw or targetpw options were used in one case but not another).

Have you disabled tty_tickets in sudoers or set any of the rootpw, runaspw or targetpw options?
Comment 7 Todd C. Miller 2018-01-08 05:39:05 MST 
Looking through the debug log again I see that in each case a password was required because the tty was different.
Comment 8 yuri 2018-01-08 16:03:16 MST 
Thanks, Todd for your help!

I realized that I didn't know about tty_tickets.
This feature works as intended.