[sudo-workers] Where is the sudo timestamp directory on OS X?
Ron Garret
ron at flownet.com
Tue Aug 11 23:44:39 MDT 2015
On Aug 11, 2015, at 7:36 PM, Todd C. Miller <Todd.Miller at courtesan.com> wrote:
> On Tue, 11 Aug 2015 14:57:14 -0700, Ron Garret wrote:
>
>> SLSIA. The man page says it's supposed to be in /var/db/sudo or /var/adm/sudo
>> but there doesn't seem to actually be anything in either of those places.
>>
>> Also, is there any documentation for the format of the files in the timestamp
>> directory? If not, could someone please point me to the right place in the
>> code to start reverse-engineering it?
>
> You can query the sudo binary itself to get the path. E.g.
>
> # sudo -V | grep timestamp
> Path to authentication timestamp dir: /var/db/sudo
>
> note that you need to run "sudo -V" as root to get this info (or
> run sudo twice).
Ah, that’s a neat trick. Thanks!
> The old version of sudo that ships with Mac OS X (1.7.10p7) puts
> the timestamp files in /var/db/sudo/username directories. In this
> version of sudo the files each contain the following struct:
>
> static struct tty_info {
> dev_t dev; /* ID of device tty resides on */
> dev_t rdev; /* tty device ID */
> ino_t ino; /* tty inode number */
> struct timeval ctime; /* tty inode change time */
> pid_t sid; /* ID of session with controlling tty */
> } tty_info;
>
> See http://www.sudo.ws/repos/sudo/file/ddf399e3e306/check.c for
> more details.
Thanks.
So there is something very peculiar going on on my machine (running OS X Mavericks, but I see the same thing in Yosemite):
[ron at mighty:~]➔ sudo -k
[ron at mighty:~]➔ sudo ls -a /var/db/sudo/ron
Password:
. ..
[ron at mighty:~]➔ sudo ls -a /var/db/sudo/ron
. ..
i.e. I am authenticated to sudo, it is granting me access without a password, but /var/db/sudo/ron is empty.
This seems to have some significant security implications. Is there any way that this could be the expected behavior?
rg
More information about the sudo-workers
mailing list