Bug 905 – Man page description of credential caching is misleading/incomplete

Bug 905 - Man page description of credential caching is misleading/incomplete


Summary:	Man page description of credential caching is misleading/incomplete

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Documentation
Version:	1.8.21
Hardware:	PC Linux

Importance:	low low
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-10-30 04:37 MDT by Bill Dietrich
Modified:	2019-12-31 15:13 MST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bill Dietrich 2019-10-30 04:37:36 MDT

Newbie here, hope I'm not doing anything wrong.

The sudo man page says "credential caching to allow the user to run sudo again for a period of time without requiring authentication".  But I think the word "user" is wrong or misleading.  In fact the terminal or pty, not the user ID, is the basis for the caching.

I found this by opening a terminal window and running veracrypt from CLI.  The veracrypt app pops up a GUI and asks for password and does a sudo or equivalent.  When veracrypt quit (normally), I found that my terminal now had sudo credential caching enabled; I could run sudo and it wouldn't ask me for password (for next 15 minutes or whatever).

If I opened another terminal, sudo there DID ask me for password.  So the caching must be on basis of pty (or parent process), not user ID or login session.

I found this behavior (the pty basis of the caching) surprising, and I think it should be documented.  From my POV, the child process (veracrypt) escalated the privilege of the parent process (terminal session), which is surprising.  I guess in retrospect it makes sense, but it should be documented clearly on the man page.

I'm using sudo version 1.8.21p2 on Linux Mint 19.2 Cinnamon.  On that system, the man page is SUDO(8).

Thanks.

Comment 1 Todd C. Miller 2019-11-01 12:43:39 MDT

Sudo's behavior here is configurable, which is why the man page doesn't have a whole lot of detail.

The behavior can be controlled via the "timestamp_type" option in sudoers and the sudoers man page includes a good description of it. It is probably worth pointing the user to that description from the sudo man page.

Newer versions of sudo also include a sudoers_timestamp man page which has a lot of detail on how the time stamp file is stored and used.

I've changed that text in sudoers to be:

Security policies may support credential caching to allow the user to run sudo again for a period of time without requiring authentication.  By default, the sudoers policy caches credentials on a per-terminal basis for 5 minutes.  See the timestamp_type and timestamp_timeout options in sudoers(5) for more information.

Comment 2 Todd C. Miller 2019-12-31 15:13:05 MST

Closing due to wording changes in the manual.