[sudo-users] retrieving the remain time of a cached credential

Dennis Schwartz dennis.schwartz at protonmail.com
Wed Sep 18 13:31:06 MDT 2019 

Hello Todd,

Thank you for your reply.

On Wednesday, September 18, 2019 5:06 AM, Todd C. Miller <Todd.Miller at sudo.ws> wrote:

> On Tue, 17 Sep 2019 16:27:42 -0000, Dennis Schwartz via sudo-users wrote:
> > I was wondering if it is possible to get the time left before a cached
> > credential expires.
>
> There's no current way for a user to get the amount of time before
> a cached credential expires. There is a "tsdump" program in the
> sudo source tree but it is not build by default and has to be run
> by root.

[snip]

> There's currently no way to do this without updating the timestamp
> file in the event that the credential is cached.

Clear, thanks for confirming this.

> > After some searching on the Internet, I found two techniques to check
> > if a user has its credential cached:
> >
> > -   `sudo -S </dev/null true 2>/dev/null; echo $?` [1]
> >     (doesn’t send a security email)
> >
> > -   `sudo -n true 2>/dev/null; echo $?` [1,2]
> >     (sends a security email)
> >
> >
> > However, both these commands update the cached credential while I only
> > want to check whether a credential is cached or not.
>
> I think "sudo -nv" is probably better than the above since it won't
> send an email if the user is not in sudoers. It will, however,
> update the timestamp on success.
>
> Can you elaborate on your use case?

My use case would be similar to [1]: I want to let Zsh 'poll' whether a
credential is (still) cached or not. Ideally, I want to show on the
terminal whether sudo cached my credentials or not. Since, I want to
poll the status every 10 seconds or so, I cannot have the timestamp
updated as that would mean the credential never expires.

I can probably achieve something similar by aliasing 'sudo' (e.g.,
`alias sudo='SUDO_LAST_USED=$(date +%s); sudo '`), but I would be nicer
to use sudo's internals for this (if available).

> Do you really want the amount of time before the timestamp expires or
> just a way to determine whether or not a password will be required?

You're right that I only want to know whether a password is required or
not. I don't necessarily need to know (for my use case) how long the
credential is still cached.


Cheers,
Dennis

[1] https://unix.stackexchange.com/questions/412609/

More information about the sudo-users mailing list