Number of minutes before the sudo password prompt times out.
The default is 5, set this to 0 for no password timeout.
- --with-tty-tickets
- This makes sudo use a different ticket file for each user/tty combo.
- Ie: instead of the ticket path being "username" it is "username/tty".
- This is useful for "shared" accounts like "operator". Note that this
- means that there will be more files in the timestamp dir. This is not
- a problem if your system has a cron job to remove of files from /tmp
- (or wherever you specified the timestamp dir to be).
+ --without-tty-tickets
+ By default, sudo uses a different ticket file for each user/tty combo.
+ With this option disabled, a single ticket will be used for all
+ of a user's login sessions.
--with-insults
Define this if you want to be insulted for typing an incorrect password
than the boot time are ignored on systems where it is possible to
determine this.
+ * The tty_tickets sudoers option is now enabled by default.
+
* Ancillary documentation (README files, LICENSE, etc) is now installed
in a sudo documentation directory.
/* Define to 1 if you want a two line OTP (S/Key or OPIE) prompt. */
#undef LONG_OTP_PROMPT
+/* Define to the sub-directory in which libtool stores uninstalled libraries.
+ */
+#undef LT_OBJDIR
+
/* The subject of the mail sent by sudo to the MAILTO user/address. */
#undef MAILSUBJECT
/* Define to 1 if root should not be allowed to use sudo. */
#undef NO_ROOT_SUDO
+/* Define to 1 if you want a single ticket file instead of per-tty files. */
+#undef NO_TTY_TICKETS
+
/* Define to the address where bug reports for this package should be sent. */
#undef PACKAGE_BUGREPORT
/* Define to the one symbol short name of this package. */
#undef PACKAGE_TARNAME
+/* Define to the home page for this package. */
+#undef PACKAGE_URL
+
/* Define to the version of this package. */
#undef PACKAGE_VERSION
/* The syslog priority sudo will use for successful attempts. */
#undef PRI_SUCCESS
-/* Define to 1 if the `putenv' has a const argument. */
-#undef PUTENV_CONST
-
/* The user sudo should run commands as by default. */
#undef RUNAS_DEFAULT
/* Define to 1 if you use GNU stow packaging. */
#undef USE_STOW
-/* Define to 1 if you want a different ticket file for each tty. */
-#undef USE_TTY_TICKETS
-
/* Define to avoid using the passwd/shadow file for authentication. */
#undef WITHOUT_PASSWD
env_editor=off
editor=vi
passwd_tries=3
-tty_tickets=off
+tty_tickets=on
insults=off
root_sudo=on
path_info=on
esac
fi
-if test "$tty_tickets" = "on"; then
- $as_echo "#define USE_TTY_TICKETS 1" >>confdefs.h
+if test "$tty_tickets" = "off"; then
+ $as_echo "#define NO_TTY_TICKETS 1" >>confdefs.h
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to include insults" >&5
env_editor=off
editor=vi
passwd_tries=3
-tty_tickets=off
+tty_tickets=on
insults=off
root_sudo=on
path_info=on
*) AC_MSG_ERROR(["--with-tty-tickets does not take an argument."])
;;
esac])
-if test "$tty_tickets" = "on"; then
- AC_DEFINE(USE_TTY_TICKETS)
- AC_MSG_RESULT(yes)
-else
+if test "$tty_tickets" = "off"; then
+ AC_DEFINE(NO_TTY_TICKETS)
AC_MSG_RESULT(no)
+else
+ AC_MSG_RESULT(yes)
fi
AC_MSG_CHECKING(whether to include insults)
AH_TEMPLATE(NO_PAM_SESSION, [Define to 1 if you don't want to use sudo's PAM session support])
AH_TEMPLATE(NO_ROOT_MAILER, [Define to avoid runing the mailer as root.])
AH_TEMPLATE(NO_ROOT_SUDO, [Define to 1 if root should not be allowed to use sudo.])
+AH_TEMPLATE(NO_TTY_TICKETS, [Define to 1 if you want a single ticket file instead of per-tty files.])
AH_TEMPLATE(PC_INSULTS, [Define to 1 to replace politically incorrect insults with less offensive ones.])
AH_TEMPLATE(SECURE_PATH, [Define to 1 to override the user's path with a built-in one.])
AH_TEMPLATE(SEND_MAIL_WHEN_NOT_OK, [Define to 1 to send mail when the user is not allowed to run a command.])
AH_TEMPLATE(STUB_LOAD_INTERFACES, [Define to 1 if the code in interfaces.c does not compile for you.])
AH_TEMPLATE(USE_INSULTS, [Define to 1 if you want to insult the user for entering an incorrect password.])
AH_TEMPLATE(USE_STOW, [Define to 1 if you use GNU stow packaging.])
-AH_TEMPLATE(USE_TTY_TICKETS, [Define to 1 if you want a different ticket file for each tty.])
AH_TEMPLATE(WITHOUT_PASSWD, [Define to avoid using the passwd/shadow file for authentication.])
AH_TEMPLATE(sig_atomic_t, [Define to `int' if <signal.h> does not define.])
AH_TEMPLATE(__signed, [Define to `signed' or nothing if compiler does not support a signed type qualifier.])
system reboots. Time stamp files older than the boot time are
ignored on systems where it is possible to determine this.
+ Additionally, the tty_tickets sudoers option is now enabled by
+ default. To restore the old behavior (single time stamp per user),
+ add a line like:
+ Defaults !tty_tickets
+ to sudoers or use the --without-tty-tickets configure option.
+
The HOME and MAIL environment variables are now reset based on the
target user's password database entry when the env_reset sudoers option
is enabled (which is the case in the default configuration). Users
_\bs_\bu_\bd_\bo_\be_\br_\bs uses time stamp files for credential caching. Once a user has
been authenticated, a time stamp is updated and the user may then use
sudo without a password for a short period of time (5 minutes unless
- overridden by the _\bt_\bi_\bm_\be_\bo_\bu_\bt option. By default, _\bs_\bu_\bd_\bo_\be_\br_\bs uses a per-user
- time stamp which means the time stamp is shared across all of a user's
- login sessions. The _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option can be used to enable per-tty
- time stamps instead.
+ overridden by the _\bt_\bi_\bm_\be_\bo_\bu_\bt option. By default, _\bs_\bu_\bd_\bo_\be_\br_\bs uses a tty-based
+ time stamp which means that there is a separate time stamp for each of
+ a user's login sessions. The _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option can be disabled to
+ force the use of a single time stamp for all of a user's sessions.
_\bs_\bu_\bd_\bo_\be_\br_\bs can log both successful and unsuccessful attempts (as well as
errors) to _\bs_\by_\bs_\bl_\bo_\bg(3), a log file, or both. By default, _\bs_\bu_\bd_\bo_\be_\br_\bs will
-1.8.0b1 July 19, 2010 1
+1.8.0b1 July 20, 2010 1
-1.8.0b1 July 19, 2010 2
+1.8.0b1 July 20, 2010 2
-1.8.0b1 July 19, 2010 3
+1.8.0b1 July 20, 2010 3
-1.8.0b1 July 19, 2010 4
+1.8.0b1 July 20, 2010 4
-1.8.0b1 July 19, 2010 5
+1.8.0b1 July 20, 2010 5
-1.8.0b1 July 19, 2010 6
+1.8.0b1 July 20, 2010 6
-1.8.0b1 July 19, 2010 7
+1.8.0b1 July 20, 2010 7
-1.8.0b1 July 19, 2010 8
+1.8.0b1 July 20, 2010 8
-1.8.0b1 July 19, 2010 9
+1.8.0b1 July 20, 2010 9
-1.8.0b1 July 19, 2010 10
+1.8.0b1 July 20, 2010 10
-1.8.0b1 July 19, 2010 11
+1.8.0b1 July 20, 2010 11
-1.8.0b1 July 19, 2010 12
+1.8.0b1 July 20, 2010 12
-1.8.0b1 July 19, 2010 13
+1.8.0b1 July 20, 2010 13
-1.8.0b1 July 19, 2010 14
+1.8.0b1 July 20, 2010 14
-1.8.0b1 July 19, 2010 15
+1.8.0b1 July 20, 2010 15
available logs.
tty_tickets If set, users must authenticate on a per-tty basis.
- Normally, s\bsu\bud\bdo\bo uses a directory in the ticket dir with
- the same name as the user running it. With this flag
- enabled, s\bsu\bud\bdo\bo will use a file named for the tty the
+ With this flag enabled, s\bsu\bud\bdo\bo will use a file named for
+ the tty the user is logged in on in the user's time
+ stamp directory. If disabled, the time stamp of the
-1.8.0b1 July 19, 2010 16
+1.8.0b1 July 20, 2010 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- user is logged in on in that directory. This flag is
- _\bo_\bf_\bf by default.
+ directory is used instead. This flag is _\bo_\bn by default.
umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified by _\bs_\bu_\bd_\bo_\be_\br_\bs
without modification. This makes it possible to
passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
out, or 0 for no timeout. The timeout may include a
+ fractional component if minute granularity is
-1.8.0b1 July 19, 2010 17
+1.8.0b1 July 20, 2010 17
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- fractional component if minute granularity is
insufficient, for example 2.5. The default is 5.
timestamp_timeout
-1.8.0b1 July 19, 2010 18
+
+1.8.0b1 July 20, 2010 18
-1.8.0b1 July 19, 2010 19
+1.8.0b1 July 20, 2010 19
-1.8.0b1 July 19, 2010 20
+1.8.0b1 July 20, 2010 20
-1.8.0b1 July 19, 2010 21
+1.8.0b1 July 20, 2010 21
-1.8.0b1 July 19, 2010 22
+1.8.0b1 July 20, 2010 22
-1.8.0b1 July 19, 2010 23
+1.8.0b1 July 20, 2010 23
-1.8.0b1 July 19, 2010 24
+1.8.0b1 July 20, 2010 24
-1.8.0b1 July 19, 2010 25
+1.8.0b1 July 20, 2010 25
-1.8.0b1 July 19, 2010 26
+1.8.0b1 July 20, 2010 26
-1.8.0b1 July 19, 2010 27
+1.8.0b1 July 20, 2010 27
-1.8.0b1 July 19, 2010 28
+1.8.0b1 July 20, 2010 28
-1.8.0b1 July 19, 2010 29
+1.8.0b1 July 20, 2010 29
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "July 19, 2010" "1.8.0b1" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "July 20, 2010" "1.8.0b1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
user has been authenticated, a time stamp is updated and the user
may then use sudo without a password for a short period of time
(\f(CW\*(C`@timeout@\*(C'\fR minutes unless overridden by the \fItimeout\fR option.
-By default, \fIsudoers\fR uses a per-user time stamp which means the
-time stamp is shared across all of a user's login sessions. The
-\&\fItty_tickets\fR option can be used to enable per-tty time stamps
-instead.
+By default, \fIsudoers\fR uses a tty-based time stamp which means that
+there is a separate time stamp for each of a user's login sessions.
+The \fItty_tickets\fR option can be disabled to force the use of a
+single time stamp for all of a user's sessions.
.PP
\&\fIsudoers\fR can log both successful and unsuccessful attempts (as well
as errors) to \fIsyslog\fR\|(3), a log file, or both. By default, \fIsudoers\fR
can also be used to list or search the available logs.
.IP "tty_tickets" 16
.IX Item "tty_tickets"
-If set, users must authenticate on a per-tty basis. Normally,
-\&\fBsudo\fR uses a directory in the ticket dir with the same name as
-the user running it. With this flag enabled, \fBsudo\fR will use a
-file named for the tty the user is logged in on in that directory.
-This flag is \fI@tty_tickets@\fR by default.
+If set, users must authenticate on a per-tty basis. With this flag
+enabled, \fBsudo\fR will use a file named for the tty the user is
+logged in on in the user's time stamp directory. If disabled, the
+time stamp of the directory is used instead. This flag is
+\&\fI@tty_tickets@\fR by default.
.IP "umask_override" 16
.IX Item "umask_override"
If set, \fBsudo\fR will set the umask as specified by \fIsudoers\fR without
user has been authenticated, a time stamp is updated and the user
may then use sudo without a password for a short period of time
(C<@timeout@> minutes unless overridden by the I<timeout> option.
-By default, I<sudoers> uses a per-user time stamp which means the
-time stamp is shared across all of a user's login sessions. The
-I<tty_tickets> option can be used to enable per-tty time stamps
-instead.
+By default, I<sudoers> uses a tty-based time stamp which means that
+there is a separate time stamp for each of a user's login sessions.
+The I<tty_tickets> option can be disabled to force the use of a
+single time stamp for all of a user's sessions.
I<sudoers> can log both successful and unsuccessful attempts (as well
as errors) to syslog(3), a log file, or both. By default, I<sudoers>
=item tty_tickets
-If set, users must authenticate on a per-tty basis. Normally,
-B<sudo> uses a directory in the ticket dir with the same name as
-the user running it. With this flag enabled, B<sudo> will use a
-file named for the tty the user is logged in on in that directory.
-This flag is I<@tty_tickets@> by default.
+If set, users must authenticate on a per-tty basis. With this flag
+enabled, B<sudo> will use a file named for the tty the user is
+logged in on in the user's time stamp directory. If disabled, the
+time stamp of the directory is used instead. This flag is
+I<@tty_tickets@> by default.
=item umask_override
#ifdef SEND_MAIL_WHEN_NOT_OK
def_mail_no_perms = TRUE;
#endif
-#ifdef USE_TTY_TICKETS
+#ifndef NO_TTY_TICKETS
def_tty_tickets = TRUE;
#endif
#ifndef NO_LECTURE
projects / sudo / commitdiff