[sudo-users] retrieving the remain time of a cached credential
dennis.schwartz at protonmail.com
Wed Sep 18 13:31:06 MDT 2019
Thank you for your reply.
On Wednesday, September 18, 2019 5:06 AM, Todd C. Miller <Todd.Miller at sudo.ws> wrote:
> On Tue, 17 Sep 2019 16:27:42 -0000, Dennis Schwartz via sudo-users wrote:
> > I was wondering if it is possible to get the time left before a cached
> > credential expires.
> There's no current way for a user to get the amount of time before
> a cached credential expires. There is a "tsdump" program in the
> sudo source tree but it is not build by default and has to be run
> by root.
> There's currently no way to do this without updating the timestamp
> file in the event that the credential is cached.
Clear, thanks for confirming this.
> > After some searching on the Internet, I found two techniques to check
> > if a user has its credential cached:
> > - `sudo -S </dev/null true 2>/dev/null; echo $?` 
> > (doesn’t send a security email)
> > - `sudo -n true 2>/dev/null; echo $?` [1,2]
> > (sends a security email)
> > However, both these commands update the cached credential while I only
> > want to check whether a credential is cached or not.
> I think "sudo -nv" is probably better than the above since it won't
> send an email if the user is not in sudoers. It will, however,
> update the timestamp on success.
> Can you elaborate on your use case?
My use case would be similar to : I want to let Zsh 'poll' whether a
credential is (still) cached or not. Ideally, I want to show on the
terminal whether sudo cached my credentials or not. Since, I want to
poll the status every 10 seconds or so, I cannot have the timestamp
updated as that would mean the credential never expires.
I can probably achieve something similar by aliasing 'sudo' (e.g.,
`alias sudo='SUDO_LAST_USED=$(date +%s); sudo '`), but I would be nicer
to use sudo's internals for this (if available).
> Do you really want the amount of time before the timestamp expires or
> just a way to determine whether or not a password will be required?
You're right that I only want to know whether a password is required or
not. I don't necessarily need to know (for my use case) how long the
credential is still cached.
More information about the sudo-users