Bug 905

Summary: Man page description of credential caching is misleading/incomplete
Product: Sudo Reporter: Bill Dietrich <sudobz4>
Component: DocumentationAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: low    
Priority: low    
Version: 1.8.21   
Hardware: PC   
OS: Linux   

Description Bill Dietrich 2019-10-30 04:37:36 MDT 
Newbie here, hope I'm not doing anything wrong.

The sudo man page says "credential caching to allow the user to run sudo again for a period of time without requiring authentication".  But I think the word "user" is wrong or misleading.  In fact the terminal or pty, not the user ID, is the basis for the caching.

I found this by opening a terminal window and running veracrypt from CLI.  The veracrypt app pops up a GUI and asks for password and does a sudo or equivalent.  When veracrypt quit (normally), I found that my terminal now had sudo credential caching enabled; I could run sudo and it wouldn't ask me for password (for next 15 minutes or whatever).

If I opened another terminal, sudo there DID ask me for password.  So the caching must be on basis of pty (or parent process), not user ID or login session.

I found this behavior (the pty basis of the caching) surprising, and I think it should be documented.  From my POV, the child process (veracrypt) escalated the privilege of the parent process (terminal session), which is surprising.  I guess in retrospect it makes sense, but it should be documented clearly on the man page.

I'm using sudo version 1.8.21p2 on Linux Mint 19.2 Cinnamon.  On that system, the man page is SUDO(8).

Thanks.
Comment 1 Todd C. Miller 2019-11-01 12:43:39 MDT 
Sudo's behavior here is configurable, which is why the man page doesn't have a whole lot of detail.

The behavior can be controlled via the "timestamp_type" option in sudoers and the sudoers man page includes a good description of it. It is probably worth pointing the user to that description from the sudo man page.

Newer versions of sudo also include a sudoers_timestamp man page which has a lot of detail on how the time stamp file is stored and used.

I've changed that text in sudoers to be:

Security policies may support credential caching to allow the user to run sudo again for a period of time without requiring authentication.  By default, the sudoers policy caches credentials on a per-terminal basis for 5 minutes.  See the timestamp_type and timestamp_timeout options in sudoers(5) for more information.
Comment 2 Todd C. Miller 2019-12-31 15:13:05 MST 
Closing due to wording changes in the manual.