[sudo-users] retrieving the remain time of a cached credential

Todd C. Miller Todd.Miller at sudo.ws
Tue Sep 17 21:06:58 MDT 2019


On Tue, 17 Sep 2019 16:27:42 -0000, Dennis Schwartz via sudo-users wrote:

> I was wondering if it is possible to get the time left before a cached
> credential expires.

There's no current way for a user to get the amount of time before
a cached credential expires.  There is a "tsdump" program in the
sudo source tree but it is not build by default and has to be run
by root.

> I understood that sudo stores the timeout information for credential
> caching in the file `/var/run/sudo/ts/<user>`. While this file is not
> readable by anyone except root, I was wondering if it is still possible
> for a normal user to check if the user their credentials are cached or
> not *without updating the timestamp file*.

There's currently no way to do this without updating the timestamp
> timestamp file by temporarily setting `limit filesize 0`. (Which might
file in the event that the credential is cached.

> After some searching on the Internet, I found two techniques to check
> if a user has its credential cached:
>
>  * `sudo -S </dev/null true 2>/dev/null; echo $?` [1]
>    (doesn’t send a security email)
>  * `sudo -n true 2>/dev/null; echo $?` [1,2]
>    (sends a security email)
>
> However, both these commands update the cached credential while I only
> want to check whether a credential is cached or not.

I think "sudo -nv" is probably better than the above since it won't
send an email if the user is not in sudoers.  It will, however,
update the timestamp on success.

Can you elaborate on your use case?  Do you really want the amount
of time before the timestamp expires or just a way to determine
whether or not a password will be required?
 
 - todd


More information about the sudo-users mailing list