[sudo-users] retrieving the remain time of a cached credential

[Dennis Schwartz]

On Thursday, September 26, 2019 5:56 PM, Todd C. Miller <Todd.Miller at sudo.ws> wrote:

> On Thu, 26 Sep 2019 15:41:04 -0000, Dennis Schwartz via sudo-users wrote:
>
> > This, that `sudo` can be quite easily prevented of sending security email
> > is the only thing that still bothers me a bit.
> > For example, one could define the function
> >
> >     sudo-no-email () {
> >         (
> >             trap "" XFSZ
> >             limit filesize 0
> >             sudo $@
> >         )
> >     }
> >
> >
> > and run `sudo-no-email touch /root/some-file` and no security email would
> > ever be sent if the sudo command fails.
>
> This doesn't work in my experiance. If you set the filesize to
> zero sudo won't be able to function, at least with the current
> version of sudo. It might have worked on older versions of sudo
> where the time stamp record was a zero-length file.
>
> Here's what I see on Ubuntu 18.04.3 with filesize set to 0:
>
> $ sudo id
> Filesize limit exceeded (core dumped)
>
> It probably makes sense for sudo to enforce minimum resource limits
> but it's not clear exactly what those minimum values should be.

Hmm, strange. I don't run Ubuntu, but under Arch Linux and Debian (buster)
I get

$ sudo-no-mail ls
sudo: unable to write to /run/sudo/ts/[username]: File too large
[sudo] password for [username]:
test
$ sudo-no-mail ls
sudo: unable to write to /run/sudo/ts/[username]: File too large
[sudo] password for [username]:
Sorry, try again.
[sudo] password for [username]:
Sorry, try again.
[sudo] password for [username]:
sudo: 3 incorrect password attempts
$ sudo --version
Sudo version 1.8.27
Sudoers policy plugin version 1.8.27
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.27


The only thing I see is that setting `limit filesize 0` is not enough: I
also need to trap XFSZ (file size limit exceeded) with nothing.
Not sure what else could be different between our experiments.


Cheers,
Dennis