Skip to content
Permalink
Browse files

In the timestamp record, include the start time of the terminal

session leader for tty-based timestamps or the start time of the
parent process for ppid-based timestamps.  Idea from Duncan Overbruck.
  • Loading branch information
millert committed Dec 16, 2017
1 parent 5cec573 commit 1709dc7f77f2d8a3e185c2649fa2a37dc77eaa2d
Showing with 379 additions and 68 deletions.
  1. +1 −0 MANIFEST
  2. +16 −14 doc/sudoers.cat
  3. +25 −23 doc/sudoers.man.in
  4. +25 −23 doc/sudoers.mdoc.in
  5. +19 −6 plugins/sudoers/Makefile.in
  6. +3 −2 plugins/sudoers/check.h
  7. +282 −0 plugins/sudoers/starttime.c
  8. +8 −0 plugins/sudoers/timestamp.c
@@ -515,6 +515,7 @@ plugins/sudoers/set_perms.c
plugins/sudoers/solaris_audit.c
plugins/sudoers/solaris_audit.h
plugins/sudoers/sssd.c
plugins/sudoers/starttime.c
plugins/sudoers/sudo_nss.c
plugins/sudoers/sudo_nss.h
plugins/sudoers/sudo_printf.c
@@ -2772,19 +2772,21 @@ SSEECCUURRIITTYY NNOOTTEESS
with a date greater than current_time + 2 * TIMEOUT will be ignored and
ssuuddooeerrss will log and complain.

Since time stamp files live in the file system, they can outlive a user's
login session. As a result, a user may be able to login, run a command
with ssuuddoo after authenticating, logout, login again, and run ssuuddoo without
authenticating so long as the record's time stamp is within 5 minutes (or
whatever value the timeout is set to in the _s_u_d_o_e_r_s file). When the
_t_t_y___t_i_c_k_e_t_s option is enabled, the time stamp record includes the device
number of the terminal the user authenticated with. This provides per-
tty granularity but time stamp records still may outlive the user's
session. The time stamp record also includes the session ID of the
process that last authenticated. This prevents processes in different
terminal sessions from using the same time stamp record. It also helps
reduce the chance that a user will be able to run ssuuddoo without entering a
password when logging out and back in again on the same terminal.
If the _t_i_m_e_s_t_a_m_p___t_y_p_e option is set to "tty", the time stamp record
includes the device number of the terminal the user authenticated with.
This provides per-terminal granularity but time stamp records may still
outlive the user's session.

Unless the _t_i_m_e_s_t_a_m_p___t_y_p_e option is set to "global", the time stamp
record also includes the session ID of the process that last
authenticated. This prevents processes in different terminal sessions
from using the same time stamp record. On systems where a process's
start time can be queried, the start time of the session leader is
recorded in the time stamp record. If no terminal is present or the
_t_i_m_e_s_t_a_m_p___t_y_p_e option is set to "ppid", the start time of the parent
process is used instead. In most cases this will prevent a time stamp
record from being re-used without the user entering a password when
logging out and back in again.

DDEEBBUUGGGGIINNGG
Versions 1.8.4 and higher of the ssuuddooeerrss plugin support a flexible
@@ -2886,4 +2888,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or https://www.sudo.ws/license.html for
complete details.

Sudo 1.8.22 December 11, 2017 Sudo 1.8.22
Sudo 1.8.22 December 15, 2017 Sudo 1.8.22
@@ -21,7 +21,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.TH "SUDOERS" "5" "December 11, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDOERS" "5" "December 15, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -5497,31 +5497,33 @@ will be ignored and
\fBsudoers\fR
will log and complain.
.PP
Since time stamp files live in the file system, they can outlive a
user's login session.
As a result, a user may be able to login, run a command with
\fBsudo\fR
after authenticating, logout, login again, and run
\fBsudo\fR
without authenticating so long as the record's time stamp is within
\fR@timeout@\fR
minutes (or whatever value the timeout is set to in the
\fIsudoers\fR
file).
When the
\fItty_tickets\fR
option is enabled, the time stamp record includes the device
number of the terminal the user authenticated with.
This provides per-tty granularity but time stamp records still
may outlive the user's session.
The time stamp record also includes the session ID of the process
If the
\fItimestamp_type\fR
option is set to
\(Lqtty\(Rq,
the time stamp record includes the device number of the terminal
the user authenticated with.
This provides per-terminal granularity but time stamp records may still
outlive the user's session.
.PP
Unless the
\fItimestamp_type\fR
option is set to
\(Lqglobal\(Rq,
the time stamp record also includes the session ID of the process
that last authenticated.
This prevents processes in different terminal sessions from using
the same time stamp record.
It also helps reduce the chance that a user will be able to run
\fBsudo\fR
without entering a password when logging out and back in again
on the same terminal.
On systems where a process's start time can be queried,
the start time of the session leader
is recorded in the time stamp record.
If no terminal is present or the
\fItimestamp_type\fR
option is set to
\(Lqppid\(Rq,
the start time of the parent process is used instead.
In most cases this will prevent a time stamp record from being re-used
without the user entering a password when logging out and back in again.
.SH "DEBUGGING"
Versions 1.8.4 and higher of the
\fBsudoers\fR
@@ -19,7 +19,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.Dd December 11, 2017
.Dd December 15, 2017
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -5089,31 +5089,33 @@ will be ignored and
.Nm sudoers
will log and complain.
.Pp
Since time stamp files live in the file system, they can outlive a
user's login session.
As a result, a user may be able to login, run a command with
.Nm sudo
after authenticating, logout, login again, and run
.Nm sudo
without authenticating so long as the record's time stamp is within
.Li @timeout@
minutes (or whatever value the timeout is set to in the
.Em sudoers
file).
When the
.Em tty_tickets
option is enabled, the time stamp record includes the device
number of the terminal the user authenticated with.
This provides per-tty granularity but time stamp records still
may outlive the user's session.
The time stamp record also includes the session ID of the process
If the
.Em timestamp_type
option is set to
.Dq tty ,
the time stamp record includes the device number of the terminal
the user authenticated with.
This provides per-terminal granularity but time stamp records may still
outlive the user's session.
.Pp
Unless the
.Em timestamp_type
option is set to
.Dq global ,
the time stamp record also includes the session ID of the process
that last authenticated.
This prevents processes in different terminal sessions from using
the same time stamp record.
It also helps reduce the chance that a user will be able to run
.Nm sudo
without entering a password when logging out and back in again
on the same terminal.
On systems where a process's start time can be queried,
the start time of the session leader
is recorded in the time stamp record.
If no terminal is present or the
.Em timestamp_type
option is set to
.Dq ppid ,
the start time of the parent process is used instead.
In most cases this will prevent a time stamp record from being re-used
without the user entering a password when logging out and back in again.
.Sh DEBUGGING
Versions 1.8.4 and higher of the
.Nm
@@ -161,7 +161,8 @@ SUDOERS_OBJS = $(AUTH_OBJS) boottime.lo check.lo editor.lo env.lo \
env_pattern.lo find_path.lo gc.lo goodpath.lo group_plugin.lo \
interfaces.lo iolog.lo iolog_path.lo locale.lo logging.lo \
logwrap.lo mkdir_parents.lo parse.lo policy.lo prompt.lo \
set_perms.lo sudo_nss.lo sudoers.lo timestamp.lo @SUDOERS_OBJS@
set_perms.lo starttime.lo sudo_nss.lo sudoers.lo \
timestamp.lo @SUDOERS_OBJS@

VISUDO_OBJS = editor.o find_path.o goodpath.o locale.o sudo_printf.o visudo.o \
visudo_json.o
@@ -607,12 +608,13 @@ check_addr.o: $(srcdir)/regress/parser/check_addr.c $(devdir)/def_data.h \
$(top_builddir)/pathnames.h
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/regress/parser/check_addr.c
check_base64.o: $(srcdir)/regress/parser/check_base64.c \
$(incdir)/sudo_compat.h $(top_builddir)/config.h
$(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
$(incdir)/sudo_util.h $(top_builddir)/config.h
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/regress/parser/check_base64.c
check_digest.o: $(srcdir)/regress/parser/check_digest.c \
$(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
$(incdir)/sudo_fatal.h $(incdir)/sudo_queue.h \
$(srcdir)/parse.h $(top_builddir)/config.h
$(incdir)/sudo_util.h $(srcdir)/parse.h $(top_builddir)/config.h
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/regress/parser/check_digest.c
check_env_pattern.o: $(srcdir)/regress/env_match/check_env_pattern.c \
$(devdir)/def_data.h $(incdir)/compat/stdbool.h \
@@ -634,11 +636,12 @@ check_fill.o: $(srcdir)/regress/parser/check_fill.c $(devdir)/gram.h \
check_gentime.o: $(srcdir)/regress/parser/check_gentime.c \
$(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
$(incdir)/sudo_debug.h $(incdir)/sudo_queue.h \
$(srcdir)/parse.h $(srcdir)/sudoers_debug.h \
$(top_builddir)/config.h
$(incdir)/sudo_util.h $(srcdir)/parse.h \
$(srcdir)/sudoers_debug.h $(top_builddir)/config.h
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/regress/parser/check_gentime.c
check_hexchar.o: $(srcdir)/regress/parser/check_hexchar.c \
$(incdir)/sudo_compat.h $(top_builddir)/config.h
$(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
$(incdir)/sudo_util.h $(top_builddir)/config.h
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/regress/parser/check_hexchar.c
check_iolog_path.o: $(srcdir)/regress/iolog_path/check_iolog_path.c \
$(devdir)/def_data.c $(devdir)/def_data.h \
@@ -1111,6 +1114,16 @@ sssd.lo: $(srcdir)/sssd.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
$(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
$(top_builddir)/pathnames.h
$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/sssd.c
starttime.lo: $(srcdir)/starttime.c $(devdir)/def_data.h \
$(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
$(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
$(incdir)/sudo_util.h $(srcdir)/check.h $(srcdir)/defaults.h \
$(srcdir)/logging.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
$(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
$(top_builddir)/pathnames.h
$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/starttime.c
sudo_auth.lo: $(authdir)/sudo_auth.c $(devdir)/def_data.h \
$(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
$(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
@@ -34,7 +34,7 @@
* records. Each record starts with a 16-bit version number and a 16-bit
* record size. Multiple record types can coexist in the same file.
*/
#define TS_VERSION 1
#define TS_VERSION 2

/* Time stamp entry types */
#define TS_GLOBAL 0x01
@@ -46,14 +46,14 @@
#define TS_DISABLED 0x01 /* entry disabled */
#define TS_ANYUID 0x02 /* ignore uid, only valid in the key */

/* XXX - may also want to store uid/gid of tty device */
struct timestamp_entry {
unsigned short version; /* version number */
unsigned short size; /* entry size */
unsigned short type; /* TS_GLOBAL, TS_TTY, TS_PPID */
unsigned short flags; /* TS_DISABLED, TS_ANYUID */
uid_t auth_uid; /* uid to authenticate as */
pid_t sid; /* session ID associated with tty/ppid */
struct timespec start_time; /* session/ppid start time */
struct timespec ts; /* timestamp (CLOCK_MONOTONIC) */
union {
dev_t ttydev; /* tty device number */
@@ -66,6 +66,7 @@ void timestamp_close(void *vcookie);
bool timestamp_lock(void *vcookie, struct passwd *pw);
bool timestamp_update(void *vcookie, struct passwd *pw);
int timestamp_status(void *vcookie, struct passwd *pw);
int get_starttime(pid_t pid, struct timespec *starttime);
bool already_lectured(int status);
int set_lectured(void);

0 comments on commit 1709dc7

Please sign in to comment.
You can’t perform that action at this time.