[sudo-users] possible per-tty timestamp changes

Todd C. Miller Todd.Miller at courtesan.com
Tue Jul 28 14:51:36 EDT 2009

I've been mulling over some changes in behavior when per-tty
timestamps are in use (the tty_tickets sudoers option).  Most Linux
distros ship sudo with this option enabled.

Changes I've been considering:

1) If the tty cannot be determined (due to both stdin and stdout being
   redirected or a pipe), always prompt for a password.  The current
   behavior is to use a catch-all timestamp file (called "unknown"
   in the user's sudo timestamp directory) which seems to confuse
   people.  This would likely mean that gui-based programs that
   invoke sudo would always have to supply a password.

2) Make "sudo -K" remove all per-tty timestamp files, not just the
   current tty timestamp.  The behavior of "sudo -k" would be
   unchanged.  This would allow people to clean up all their sudo
   per-tty timestamps when thet log out.

I'm wondering if these changes would negatively impact people's
current use of sudo.  Note that these changes would only affect
things when the tty_tickets option is enabled.

 - todd

More information about the sudo-users mailing list