Bug 872

Summary: Add a command to know if authentication cache is active
Product: Sudo Reporter: Eric Leblond <eric>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: enhancement    
Priority: low    
Version: 1.8.27   
Hardware: All   
OS: All   

Description Eric Leblond 2019-02-24 02:23:59 MST 
When sudo is asking password it creates an authentication cache and the password is not asked for a period. This means that during that time, the shell is basically root: any command/shell script that uses sudo will get instant access to root user.

If I'm not wrong, the authentication cache system can currently not been queried without renewing it. My proposal is to add an option in sudo command to check if the authentication cache is active without touching its expiration.

The main usage I see to this option is to be able to customize things like PS1 to warn the shell user that this shell instance is potentially root. This way he can be careful if ever he starts action that could potentially contain sudo call.
Comment 1 Todd C. Miller 2019-02-24 06:36:20 MST 
I think you can achieve what you want by running "sudo -nv".  If the exit value is 0 then sudo can be run without a password.
Comment 2 Eric Leblond 2019-02-24 09:02:08 MST 
From reading the man page, this command will extend the timeout duration so we could end up in a never expiring cached authentication. Maybe the doc is wrong but when I did read the code, it did appear it was looking correct.
Comment 3 Todd C. Miller 2019-02-24 14:49:09 MST 
Yes, you are correct, this won't work for your use case.
Comment 4 Todd C. Miller 2022-10-24 09:45:37 MDT 
Sudo 1.9.12 adds a -N flag that can be used to achieve this.  For example:

    sudo -Nnv >/dev/null 2&1 && echo active

will only print "active" if the user can run sudo without a password.  It will not update the user's time stamp entry.