Bugzilla – Bug 872
Add a command to know if authentication cache is active
Last modified: 2022-10-24 09:45:37 MDT
When sudo is asking password it creates an authentication cache and the password is not asked for a period. This means that during that time, the shell is basically root: any command/shell script that uses sudo will get instant access to root user. If I'm not wrong, the authentication cache system can currently not been queried without renewing it. My proposal is to add an option in sudo command to check if the authentication cache is active without touching its expiration. The main usage I see to this option is to be able to customize things like PS1 to warn the shell user that this shell instance is potentially root. This way he can be careful if ever he starts action that could potentially contain sudo call.
I think you can achieve what you want by running "sudo -nv". If the exit value is 0 then sudo can be run without a password.
From reading the man page, this command will extend the timeout duration so we could end up in a never expiring cached authentication. Maybe the doc is wrong but when I did read the code, it did appear it was looking correct.
Yes, you are correct, this won't work for your use case.
Sudo 1.9.12 adds a -N flag that can be used to achieve this. For example: sudo -Nnv >/dev/null 2&1 && echo active will only print "active" if the user can run sudo without a password. It will not update the user's time stamp entry.