[sudo-workers] Where is the sudo timestamp directory on OS X?

Todd C. Miller Todd.Miller at courtesan.com
Tue Aug 11 20:36:54 MDT 2015 

On Tue, 11 Aug 2015 14:57:14 -0700, Ron Garret wrote:

> SLSIA.  The man page says it's supposed to be in /var/db/sudo or /var/adm/sudo
> but there doesn't seem to actually be anything in either of those places.
> 
> Also, is there any documentation for the format of the files in the timestamp
> directory?  If not, could someone please point me to the right place in the
> code to start reverse-engineering it?

You can query the sudo binary itself to get the path.  E.g.

    # sudo -V | grep timestamp
    Path to authentication timestamp dir: /var/db/sudo

note that you need to run "sudo -V" as root to get this info (or
run sudo twice).

The old version of sudo that ships with Mac OS X (1.7.10p7) puts
the timestamp files in /var/db/sudo/username directories.  In this
version of sudo the files each contain the following struct:

    static struct tty_info {
	dev_t dev;                  /* ID of device tty resides on */
	dev_t rdev;                 /* tty device ID */
	ino_t ino;                  /* tty inode number */
	struct timeval ctime;       /* tty inode change time */
	pid_t sid;                  /* ID of session with controlling tty */
    } tty_info;

See http://www.sudo.ws/repos/sudo/file/ddf399e3e306/check.c for
more details.

In sudo 1.8.10 and higher the timestamp files have moved to to
/var/run/sudo on most platforms and have a different format.
Here there is one timestamp file per user and it can contain
multiple entries:

    struct timestamp_entry {
	unsigned short version;     /* version number */
	unsigned short size;        /* entry size */
	unsigned short type;        /* TS_GLOBAL, TS_TTY, TS_PPID */
	unsigned short flags;       /* TS_DISABLED, TS_ANYUID */
	uid_t auth_uid;             /* uid to authenticate as */
	pid_t sid;                  /* session ID associated with tty/ppid */
	struct timespec ts;         /* timestamp (CLOCK_MONOTONIC) */
	union {
	    dev_t ttydev;           /* tty device number */
	    pid_t ppid;             /* parent pid */
	} u;
    };

See http://www.sudo.ws/repos/sudo/file/3ad7296390f2/plugins/sudoers/check.h
and http://www.sudo.ws/repos/sudo/file/3ad7296390f2/plugins/sudoers/timestamp.c
for more info.

 - todd

More information about the sudo-workers mailing list