[sudo-users] retrieving the remain time of a cached credential

Dennis Schwartz dennis.schwartz at protonmail.com
Thu Sep 26 09:41:04 MDT 2019

On Tuesday, September 17, 2019 6:27 PM, Dennis Schwartz via sudo-users <sudo-users at sudo.ws> wrote:

> I was wondering if it is possible to get the time left before a cached
> credential expires.

Again, thanks for all the replies. I've finally settled with defining my own
zsh function to get an estimate of the last time `sudo` was successfully run:

    function sudo {
        local SUDO_CALLED=$(date +%s)
        if env $0 "$@"; then
            for argv in "$@"; do
                if [ "$argv" = "-k" ]; then

A similar function can be defined for `sudoedit`.

> The only workaround I have seen, is to prevent sudo from writing to the
> timestamp file by temporarily setting `limit filesize 0`. (Which might
> be considered a security issue since it prevents sending the email as
> well.)

This, that `sudo` can be quite easily prevented of sending security email
is the only thing that still bothers me a bit.
For example, one could define the function

    sudo-no-email () {
            trap "" XFSZ
            limit filesize 0
            sudo $@

and run `sudo-no-email touch /root/some-file` and no security email would
ever be sent if the sudo command fails.

Isn't this regarded as a security issue? If not, what's the point of the
security emails?

Thanks again.


More information about the sudo-users mailing list