[sudo-users] Force certain command_timeout for some commands
Markus Linnala
Markus.Linnala at cybercom.com
Wed Oct 17 08:31:41 MDT 2018
How can I enforce command_timeout per command?
I'm not able to force a command_timeout for a command. To enable command_timeout I need to have -T option when running sudo.
My idea:
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/dash, /usr/bin/bash
Defaults!SHELLS user_command_timeouts, command_timeout=1h
user ALL=(root) TIMEOUT=1h SHELLS
and expectation is to sudo -i (login shell is /usr/bin/bash) to timeout after 1h.
Also this does not work either:
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/dash, /usr/bin/bash
Defaults user_command_timeouts, command_timeout=1h
user ALL=(root) SHELLS
Only way to enable timeout is to have -T option when running sudo and as users can set what ever they want, the enforcement is not possible at the moment.
sudoers manual says: If a timeout is specified both in the sudoers file and on the command line, the smaller of the two timeouts will be used.
So I assume if -T is not defined, then its value is set to 0 and that is less than my value and it disables command_timeout handling.
More information about the sudo-users
mailing list