global, ppid or tty. Defaults to tty (no change in behavior).
Some users want the ppid behavior.
"-s" flag imply "-H".
Sudoers option: set_home
+ --enable-timestamp-type=TYPE
+ Set the default time stamp record type. The TYPE may be "global"
+ (a single record per user), "ppid" (a single record for process
+ with the same parent process), or "tty" (a separate record for
+ each login session). The default is "tty".
+ Sudoers option: timestamp_type
+
--with-all-insults
Include all the insult sets listed below. You must either specify
--with-insults or enable insults in the sudoers file for this to
again. The default is 5, set this to 0 to always prompt for a password.
Sudoers option: timestamp_timeout
- --with-tty-tickets=no, --without-tty-tickets
- By default, sudo uses a different ticket file for each user/tty combo.
- With this option disabled, a single ticket will be used for all
- of a user's login sessions.
- Sudoers option: tty_tickets
-
--with-umask=MASK
Umask to use when running the root command. The default is 0022.
Sudoers option: umask
not be terminated when the I/O logging plugin returned an error
to the sudo front-end.
+ * A new "timestamp_type" sudoers setting has been added that replaces
+ the "tty_tickets" option. In addition to tty and global time stamp
+ records, it is now possible to use the parent process ID to restrict
+ the time stamp to commands run by the same process, usually the shell.
+ Bug #793
+
What's new in Sudo 1.8.20p2
* Fixed a bug parsing /proc/pid/stat on Linux when the process
/* Define to 1 if root should not be allowed to use sudo. */
#undef NO_ROOT_SUDO
-/* Define to 1 if you want a single ticket file instead of per-tty files. */
-#undef NO_TTY_TICKETS
-
/* Define if your C preprocessor does not support variadic macros. */
#undef NO_VARIADIC_MACROS
/* The number of minutes before sudo asks for a password again. */
#undef TIMEOUT
+/* Define to global, ppid or tty to set the default timestamp record type. */
+#undef TIMESTAMP_TYPE
+
/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
#undef TIME_WITH_SYS_TIME
path_info
root_sudo
insults
-tty_tickets
+timestamp_type
passwd_tries
env_reset
env_editor
enable_devsearch
with_selinux
enable_sasl
+enable_timestamp_type
enable_gss_krb5_ccache_name
enable_shared
enable_static
--enable-devsearch=PATH The colon-delimited path to search for device nodes
when determing the tty name.
--enable-sasl Enable/disable LDAP SASL support
+ --timestamp-type=TYPE Set the default time stamp record type to global,
+ ppid or tty.
--enable-gss-krb5-ccache-name
Use GSS-API to set the Kerberos V cred cache name
--enable-shared[=PKGS] build shared libraries [default=yes]
env_reset=on
editor=vi
passwd_tries=3
-tty_tickets=on
+timestamp_type=tty
insults=off
root_sudo=on
path_info=on
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $password_timeout" >&5
$as_echo "$password_timeout" >&6; }
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use per-tty ticket files" >&5
-$as_echo_n "checking whether to use per-tty ticket files... " >&6; }
# Check whether --with-tty-tickets was given.
if test "${with_tty_tickets+set}" = set; then :
withval=$with_tty_tickets; case $with_tty_tickets in
- yes) tty_tickets=on
+ yes) timestamp_type=tty
;;
- no) tty_tickets=off
+ no) timestamp_type=global
;;
*) as_fn_error $? "\"--with-tty-tickets does not take an argument.\"" "$LINENO" 5
;;
esac
fi
-if test "$tty_tickets" = "off"; then
- $as_echo "#define NO_TTY_TICKETS 1" >>confdefs.h
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to include insults" >&5
$as_echo_n "checking whether to include insults... " >&6; }
fi
+# Check whether --enable-timestamp-type was given.
+if test "${enable_timestamp_type+set}" = set; then :
+ enableval=$enable_timestamp_type; case "$enableval" in
+ global|ppid|tty)
+ timestamp_type=$enableval
+ ;;
+ *) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Ignoring unknown argument to --enable-timestamp-type: $enableval" >&5
+$as_echo "$as_me: WARNING: Ignoring unknown argument to --enable-timestamp-type: $enableval" >&2;}
+ ;;
+ esac
+
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define TIMESTAMP_TYPE $timestamp_type
+_ACEOF
+
+
# Check whether --enable-gss_krb5_ccache_name was given.
if test "${enable_gss_krb5_ccache_name+set}" = set; then :
enableval=$enable_gss_krb5_ccache_name; check_gss_krb5_ccache_name=$enableval
AC_SUBST([env_editor])
AC_SUBST([env_reset])
AC_SUBST([passwd_tries])
-AC_SUBST([tty_tickets])
+AC_SUBST([timestamp_type])
AC_SUBST([insults])
AC_SUBST([root_sudo])
AC_SUBST([path_info])
env_reset=on
editor=vi
passwd_tries=3
-tty_tickets=on
+timestamp_type=tty
insults=off
root_sudo=on
path_info=on
AC_DEFINE_UNQUOTED(PASSWORD_TIMEOUT, $password_timeout, [The passwd prompt timeout (in minutes).])
AC_MSG_RESULT($password_timeout)
-AC_MSG_CHECKING(whether to use per-tty ticket files)
AC_ARG_WITH(tty-tickets, [AS_HELP_STRING([--with-tty-tickets], [use a different ticket file for each tty])],
[case $with_tty_tickets in
- yes) tty_tickets=on
+ yes) timestamp_type=tty
;;
- no) tty_tickets=off
+ no) timestamp_type=global
;;
*) AC_MSG_ERROR(["--with-tty-tickets does not take an argument."])
;;
esac])
-if test "$tty_tickets" = "off"; then
- AC_DEFINE(NO_TTY_TICKETS)
- AC_MSG_RESULT(no)
-else
- AC_MSG_RESULT(yes)
-fi
AC_MSG_CHECKING(whether to include insults)
AC_ARG_WITH(insults, [AS_HELP_STRING([--with-insults], [insult the user for entering an incorrect password])],
esac
])
+AC_ARG_ENABLE(timestamp-type,
+[AS_HELP_STRING([--timestamp-type=TYPE], [Set the default time stamp record type to global, ppid or tty.])],
+[ case "$enableval" in
+ global|ppid|tty)
+ timestamp_type=$enableval
+ ;;
+ *) AC_MSG_WARN([Ignoring unknown argument to --enable-timestamp-type: $enableval])
+ ;;
+ esac
+])
+AC_DEFINE_UNQUOTED(TIMESTAMP_TYPE, $timestamp_type)
+
dnl
dnl gss_krb5_ccache_name() may not work on Heimdal so we don't use it by default
dnl
AH_TEMPLATE(NO_PAM_SESSION, [Define to 1 if you don't want to use sudo's PAM session support.])
AH_TEMPLATE(NO_ROOT_MAILER, [Define to avoid runing the mailer as root.])
AH_TEMPLATE(NO_ROOT_SUDO, [Define to 1 if root should not be allowed to use sudo.])
-AH_TEMPLATE(NO_TTY_TICKETS, [Define to 1 if you want a single ticket file instead of per-tty files.])
+AH_TEMPLATE(TIMESTAMP_TYPE, [Define to global, ppid or tty to set the default timestamp record type.])
AH_TEMPLATE(PC_INSULTS, [Define to 1 to replace politically incorrect insults with less offensive ones.])
AH_TEMPLATE(PREFER_PORTABLE_GETCWD, [Define to 1 to enable replacement getcwd if system getcwd is broken.])
AH_TEMPLATE(SECURE_PATH, [A colon-separated list of directories to override the user's PATH with.])
SUDO_USER.
s\bsu\bud\bdo\boe\ber\brs\bs uses per-user time stamp files for credential caching. Once a
- user has been authenticated, a record is written containing the uid that
- was used to authenticate, the terminal session ID, and a time stamp
+ user has been authenticated, a record is written containing the user ID
+ that was used to authenticate, the terminal session ID, and a time stamp
(using a monotonic clock if one is available). The user may then use
s\bsu\bud\bdo\bo without a password for a short period of time (5 minutes unless
overridden by the _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\bi_\bm_\be_\bo_\bu_\bt option). By default, s\bsu\bud\bdo\boe\ber\brs\bs uses a
- separate record for each tty, which means that a user's login sessions
- are authenticated separately. The _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option can be disabled to
- force the use of a single time stamp for all of a user's sessions.
+ separate record for each terminal, which means that a user's login
+ sessions are authenticated separately. The _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\by_\bp_\be option can be
+ used to select the type of time stamp record s\bsu\bud\bdo\boe\ber\brs\bs will use.
L\bLo\bog\bgg\bgi\bin\bng\bg
s\bsu\bud\bdo\boe\ber\brs\bs can log both successful and unsuccessful attempts (as well as
tty_tickets If set, users must authenticate on a per-tty basis.
With this flag enabled, s\bsu\bud\bdo\bo will use a separate record
- in the time stamp file for each tty. If disabled, a
- single record is used for all login sessions. This
- flag is _\bo_\bn by default.
+ in the time stamp file for each terminal. If disabled,
+ a single record is used for all login sessions.
+
+ This option has been superceded by the _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\by_\bp_\be
+ option.
umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified in the
_\bs_\bu_\bd_\bo_\be_\br_\bs file without modification. This makes it
locale may affect how sudoers is interpreted. Defaults
to "C".
+ timestamp_type s\bsu\bud\bdo\boe\ber\brs\bs uses per-user time stamp files for credential
+ caching. The _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\by_\bp_\be option can be used to
+ specify the type of time stamp record used. It has the
+ following possible values:
+
+ global A single time stamp record is used for all of a
+ user's login sessions, regardless of the
+ terminal or parent process ID. An additional
+ record is used to serialize password prompts
+ when s\bsu\bud\bdo\bo is used multiple times in a pipeline,
+ but this does not affect authentication.
+
+ ppid A single time stamp record is used for all
+ processes with the same parent process ID
+ (usually the shell). Commands run from the
+ same shell (or other common parent process)
+ will not require a password for
+ _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\bi_\bm_\be_\bo_\bu_\bt minutes (5 by default).
+ Commands run via s\bsu\bud\bdo\bo with a different parent
+ process ID, for example from a shell script,
+ will be authenticated separately.
+
+ tty One time stamp record is used for each
+ terminal, which means that a user's login
+ sessions are authenticated separately. If no
+ terminal is present, the behavior is the same
+ as _\bp_\bp_\bi_\bd. Commands run from the same terminal
+ will not require a password for
+ _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\bi_\bm_\be_\bo_\bu_\bt minutes (5 by default).
+
+ The default value is _\bt_\bt_\by.
+
+ This setting is only supported by version 1.8.21 or
+ higher.
+
timestampdir The directory in which s\bsu\bud\bdo\bo stores its time stamp
files. This directory should be cleared when the
system reboots. The default is _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo_\b/_\bt_\bs.
file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
complete details.
-Sudo 1.8.21 July 21, 2017 Sudo 1.8.21
+Sudo 1.8.21 August 1, 2017 Sudo 1.8.21
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.TH "SUDOERS" "5" "July 21, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "August 1, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
\fBsudoers\fR
uses per-user time stamp files for credential caching.
Once a user has been authenticated, a record is written
-containing the uid that was used to authenticate, the
+containing the user ID that was used to authenticate, the
terminal session ID, and a time stamp
(using a monotonic clock if one is available).
The user may then use
\&.
By default,
\fBsudoers\fR
-uses a separate record for each tty, which means that
+uses a separate record for each terminal, which means that
a user's login sessions are authenticated separately.
The
-\fItty_tickets\fR
-option can be disabled to force the use of a
-single time stamp for all of a user's sessions.
+\fItimestamp_type\fR
+option can be used to select the type of time stamp record
+\fBsudoers\fR
+will use.
.SS "Logging"
\fBsudoers\fR
can log both successful and unsuccessful attempts (as well
If set, users must authenticate on a per-tty basis.
With this flag enabled,
\fBsudo\fR
-will use a separate record in the time stamp file for each tty.
+will use a separate record in the time stamp file for each terminal.
If disabled, a single record is used for all login sessions.
-This flag is
-\fI@tty_tickets@\fR
-by default.
+.sp
+This option has been superceded by the
+\fItimestamp_type\fR
+option.
.TP 18n
umask_override
If set,
Defaults to
\(Lq\fRC\fR\(Rq.
.TP 18n
+timestamp_type
+\fBsudoers\fR
+uses per-user time stamp files for credential caching.
+The
+\fItimestamp_type\fR
+option can be used to specify the type of time stamp record used.
+It has the following possible values:
+.PP
+.RS 18n
+.PD 0
+.TP 8n
+global
+A single time stamp record is used for all of a user's login sessions,
+regardless of the terminal or parent process ID.
+An additional record is used to serialize password prompts when
+\fBsudo\fR
+is used multiple times in a pipeline, but this does not affect authentication.
+.PD
+.TP 8n
+ppid
+A single time stamp record is used for all processes with the same parent
+process ID (usually the shell).
+Commands run from the same shell (or other common parent process)
+will not require a password for
+\fItimestamp_timeout\fR
+minutes
+(\fR@timeout@\fR
+by default)
+\&.
+Commands run via
+\fBsudo\fR
+with a different parent process ID, for example from a shell script,
+will be authenticated separately.
+.TP 8n
+tty
+One time stamp record is used for each terminal,
+which means that a user's login sessions are authenticated separately.
+If no terminal is present, the behavior is the same as
+\fIppid\fR.
+Commands run from the same terminal will not require a password for
+\fItimestamp_timeout\fR
+minutes
+(\fR@timeout@\fR
+by default)
+\&.
+.PP
+The default value is
+\fI@timestamp_type@\fR.
+.sp
+This setting is only supported by version 1.8.21 or higher.
+.RE
+.TP 18n
timestampdir
The directory in which
\fBsudo\fR
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.Dd July 21, 2017
+.Dd August 1, 2017
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudoers
uses per-user time stamp files for credential caching.
Once a user has been authenticated, a record is written
-containing the uid that was used to authenticate, the
+containing the user ID that was used to authenticate, the
terminal session ID, and a time stamp
(using a monotonic clock if one is available).
The user may then use
.Pc .
By default,
.Nm sudoers
-uses a separate record for each tty, which means that
+uses a separate record for each terminal, which means that
a user's login sessions are authenticated separately.
The
-.Em tty_tickets
-option can be disabled to force the use of a
-single time stamp for all of a user's sessions.
+.Em timestamp_type
+option can be used to select the type of time stamp record
+.Nm sudoers
+will use.
.Ss Logging
.Nm sudoers
can log both successful and unsuccessful attempts (as well
If set, users must authenticate on a per-tty basis.
With this flag enabled,
.Nm sudo
-will use a separate record in the time stamp file for each tty.
+will use a separate record in the time stamp file for each terminal.
If disabled, a single record is used for all login sessions.
-This flag is
-.Em @tty_tickets@
-by default.
+.Pp
+This option has been superceded by the
+.Em timestamp_type
+option.
.It umask_override
If set,
.Nm sudo
Note that changing the locale may affect how sudoers is interpreted.
Defaults to
.Dq Li C .
+.It timestamp_type
+.Nm sudoers
+uses per-user time stamp files for credential caching.
+The
+.Em timestamp_type
+option can be used to specify the type of time stamp record used.
+It has the following possible values:
+.Bl -tag -width 6n
+.It global
+A single time stamp record is used for all of a user's login sessions,
+regardless of the terminal or parent process ID.
+An additional record is used to serialize password prompts when
+.Nm sudo
+is used multiple times in a pipeline, but this does not affect authentication.
+.It ppid
+A single time stamp record is used for all processes with the same parent
+process ID (usually the shell).
+Commands run from the same shell (or other common parent process)
+will not require a password for
+.Em timestamp_timeout
+minutes
+.Po
+.Li @timeout@
+by default
+.Pc .
+Commands run via
+.Nm sudo
+with a different parent process ID, for example from a shell script,
+will be authenticated separately.
+.It tty
+One time stamp record is used for each terminal,
+which means that a user's login sessions are authenticated separately.
+If no terminal is present, the behavior is the same as
+.Em ppid .
+Commands run from the same terminal will not require a password for
+.Em timestamp_timeout
+minutes
+.Po
+.Li @timeout@
+by default
+.Pc .
+.El
+.Pp
+The default value is
+.Em @timestamp_type@ .
+.Pp
+This setting is only supported by version 1.8.21 or higher.
.It timestampdir
The directory in which
.Nm sudo
{ NULL, 0 },
};
+static struct def_values def_data_timestamp_type[] = {
+ { "global", global },
+ { "ppid", ppid },
+ { "tty", tty },
+ { NULL, 0 },
+};
+
struct sudo_defs_types sudo_defs_table[] = {
{
"syslog", T_LOGFAC|T_BOOL,
"syslog_pid", T_FLAG,
N_("Include the process ID when logging via syslog"),
NULL,
+ }, {
+ "timestamp_type", T_TUPLE,
+ N_("Type of authentication timestamp record: %s"),
+ def_data_timestamp_type,
}, {
NULL, 0, NULL
}
#define def_iolog_flush (sudo_defs_table[I_IOLOG_FLUSH].sd_un.flag)
#define I_SYSLOG_PID 109
#define def_syslog_pid (sudo_defs_table[I_SYSLOG_PID].sd_un.flag)
+#define I_TIMESTAMP_TYPE 110
+#define def_timestamp_type (sudo_defs_table[I_TIMESTAMP_TYPE].sd_un.tuple)
enum def_tuple {
never,
always,
any,
all,
- digest_only
+ digest_only,
+ global,
+ ppid,
+ tty
};
syslog_pid
T_FLAG
"Include the process ID when logging via syslog"
+timestamp_type
+ T_TUPLE
+ "Type of authentication timestamp record: %s"
+ global ppid tty
#ifdef SEND_MAIL_WHEN_NOT_OK
def_mail_no_perms = true;
#endif
-#ifndef NO_TTY_TICKETS
- def_tty_tickets = true;
-#endif
#ifndef NO_LECTURE
def_lecture = once;
#endif
#ifdef UMASK_OVERRIDE
def_umask_override = true;
#endif
+ def_timestamp_type = TIMESTAMP_TYPE;
if ((def_iolog_file = strdup("%{seq}")) == NULL)
goto oom;
if ((def_iolog_dir = strdup(_PATH_SUDO_IO_LOGDIR)) == NULL)
static char *find_editor(int nfiles, char **files, int *argc_out, char ***argv_out);
static bool cb_fqdn(const union sudo_defs_val *);
static bool cb_runas_default(const union sudo_defs_val *);
+static bool cb_tty_tickets(const union sudo_defs_val *);
static int set_cmnd(void);
static int create_admin_success_flag(void);
static bool init_vars(char * const *);
/* Set iolog_mode callback. */
sudo_defs_table[I_IOLOG_MODE].callback = cb_iolog_mode;
+ /* Set tty_tickets callback. */
+ sudo_defs_table[I_TTY_TICKETS].callback = cb_tty_tickets;
+
/* It is now safe to use log_warningx() and set_perms() */
if (unknown_user) {
log_warningx(SLOG_SEND_MAIL, N_("unknown uid: %u"),
debug_return_bool(true);
}
+/*
+ * Callback for runas_default sudoers setting.
+ */
+static bool
+cb_tty_tickets(const union sudo_defs_val *sd_un)
+{
+ debug_decl(cb_tty_tickets, SUDOERS_DEBUG_PLUGIN)
+
+ /* Convert tty_tickets -> timestamp_type */
+ if (sd_un->flag)
+ def_timestamp_type = tty;
+ else
+ def_timestamp_type = global;
+ debug_return_bool(true);
+}
+
/*
* Cleanup hook for sudo_fatal()/sudo_fatalx()
*/
* based on auth user pw. Does not set the time stamp.
*/
static void
-ts_fill4(struct timestamp_entry *entry, struct passwd *pw, int flags, bool tty_tickets)
+ts_init_key(struct timestamp_entry *entry, struct passwd *pw, int flags,
+ enum def_tuple ticket_type)
{
struct stat sb;
- debug_decl(ts_fill4, SUDOERS_DEBUG_AUTH)
+ debug_decl(ts_init_key, SUDOERS_DEBUG_AUTH)
memset(entry, 0, sizeof(*entry));
entry->version = TS_VERSION;
entry->size = sizeof(*entry);
- entry->type = TS_GLOBAL; /* may be overriden below */
entry->flags = flags;
if (pw != NULL) {
entry->auth_uid = pw->pw_uid;
entry->flags |= TS_ANYUID;
}
entry->sid = user_sid;
- if (tty_tickets) {
+ switch (ticket_type) {
+ case tty:
if (user_ttypath != NULL && stat(user_ttypath, &sb) == 0) {
/* tty-based time stamp */
entry->type = TS_TTY;
entry->u.ttydev = sb.st_rdev;
- } else {
- /* ppid-based time stamp */
- entry->type = TS_PPID;
- entry->u.ppid = getppid();
+ break;
}
+ /* FALLTHROUGH */
+ case ppid:
+ /* ppid-based time stamp */
+ entry->type = TS_PPID;
+ entry->u.ppid = getppid();
+ break;
+ default:
+ /* global time stamp */
+ entry->type = TS_GLOBAL;
+ break;
}
debug_return;
}
static void
-ts_fill(struct timestamp_entry *entry, struct passwd *pw, int flags)
-{
- ts_fill4(entry, pw, flags, def_tty_tickets);
-}
-
-static void
-ts_fill_tty(struct timestamp_entry *entry, struct passwd *pw, int flags)
+ts_init_key_nonglobal(struct timestamp_entry *entry, struct passwd *pw, int flags)
{
- ts_fill4(entry, pw, flags, true);
+ /*
+ * Even if the timestamp type is global we still want to do per-tty
+ * or per-ppid locking so sudo works predictably in a pipeline.
+ */
+ ts_init_key(entry, pw, flags,
+ def_timestamp_type != global ? def_timestamp_type : tty);
}
/*
debug_return_bool(false);
}
- /* Search for a tty-based record or append a new one. */
+ /* Search for a tty/ppid-based record or append a new one. */
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
- "searching for tty time stamp record");
- ts_fill_tty(&cookie->key, pw, TS_DISABLED);
+ "searching for %s time stamp record",
+ def_timestamp_type == ppid ? "ppid" : "tty");
+ ts_init_key_nonglobal(&cookie->key, pw, TS_DISABLED);
if (ts_find_record(cookie->fd, &cookie->key, &entry)) {
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
- "found existing tty time stamp record");
+ "found existing %s time stamp record",
+ def_timestamp_type == ppid ? "ppid" : "tty");
lock_pos = lseek(cookie->fd, 0, SEEK_CUR) - (off_t)entry.size;
} else {
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
debug_return_bool(false);
}
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
- "tty time stamp position is %lld", (long long)lock_pos);
+ "%s time stamp position is %lld",
+ def_timestamp_type == ppid ? "ppid" : "tty", (long long)lock_pos);
- if (def_tty_tickets) {
- /* For tty tickets the tty lock is the same as the record lock. */
- cookie->pos = lock_pos;
- cookie->locked = true;
- } else {
+ if (def_timestamp_type == global) {
/*
- * For non-tty tickets we use a separate record lock that we
+ * For global tickets we use a separate record lock that we
* cannot hold long-term since it is shared between all ttys.
*/
cookie->locked = false;
- cookie->key.type = TS_GLOBAL; /* find a non-tty record */
+ cookie->key.type = TS_GLOBAL; /* find a global record */
if (lseek(cookie->fd, 0, SEEK_SET) == -1) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO|SUDO_DEBUG_LINENO,
if (ts_write(cookie->fd, cookie->fname, &cookie->key, -1) == -1)
debug_return_bool(false);
}
+ } else {
+ /* For tty/ppid tickets the tty lock is the same as the record lock. */
+ cookie->pos = lock_pos;
+ cookie->locked = true;
}
/* Unlock the TS_LOCKEXCL record. */
/*
* Find matching entries and invalidate them.
*/
- ts_fill(&key, NULL, 0);
+ ts_init_key(&key, NULL, 0, def_timestamp_type);
while (ts_find_record(fd, &key, &entry)) {
/* Back up and disable the entry. */
if (!ISSET(entry.flags, TS_DISABLED)) {