session from re-using the time stamp file.
Other minor cleanups.
The s\bsu\bud\bdo\boe\ber\brs\bs plugin uses per-user time stamp files for credential caching.
Once a user has been authenticated, they may use s\bsu\bud\bdo\bo without a password
for a short period of time (5 minutes unless overridden by the
- _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\bi_\bm_\be_\bo_\bu_\bt option). s\bsu\bud\bdo\boe\ber\brs\bs uses a separate record for each
- terminal, which means that a user's login sessions are authenticated
- separately. The _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\by_\bp_\be option can be used to select the type of
- time stamp record s\bsu\bud\bdo\boe\ber\brs\bs will use.
+ _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\bi_\bm_\be_\bo_\bu_\bt option). By default, s\bsu\bud\bdo\boe\ber\brs\bs uses a separate record
+ for each terminal, which means that a user's login sessions are
+ authenticated separately. The _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\by_\bp_\be option can be used to
+ select the type of time stamp record s\bsu\bud\bdo\boe\ber\brs\bs will use.
A multi-record time stamp file format was introduced in s\bsu\bud\bdo\bo 1.8.10 that
uses a single file per user. Previously, a separate file was used for
each user and terminal combination unless tty-based time stamps were
disabled. The new format is extensible and records of multiple types and
- versions may co-exist within the same file.
+ versions may coexist within the same file.
All records, regardless of type or version, begin with a 16-bit version
number and a 16-bit record size.
uid_t auth_uid; /* uid to authenticate as */
pid_t sid; /* session ID associated with tty/ppid */
struct timespec start_time; /* session/ppid start time */
- struct timespec ts; /* timestamp (CLOCK_MONOTONIC) */
+ struct timespec ts; /* time stamp (CLOCK_MONOTONIC) */
union {
dev_t ttydev; /* tty device number */
pid_t ppid; /* parent pid */
prevent re-use of the time stamp file after logout.
1.8.6p7
- The terminal session ID was added to tty-based time stamp files.
- This helped prevent re-use of the time stamp file on systems where
- the terminal device's inode change time was updated by writing.
+ The terminal session ID was added to tty-based time stamp files to
+ prevent re-use of the time stamp by the same user in a different
+ terminal session. It also helped prevent re-use of the time stamp
+ file on systems where the terminal device's inode change time was
+ updated by writing.
1.8.10
A new, multi-record time stamp file format was introduced that uses
1.8.15
Individual records are locked in the time stamp file instead of the
- entire file.
+ entire file and the lock is held until authentication is complete.
1.8.22
The start time of the terminal session leader or parent process is
now stored in non-global time stamp records. This prevents re-use
of the time stamp file after logout in most cases.
+ Support was added for the kernel-based tty time stamps available in
+ OpenBSD which do not use an on-disk time stamp file.
+
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
sudoers(4), sudo(1m)
file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
complete details.
-Sudo 1.8.22 December 19, 2017 Sudo 1.8.22
+Sudo 1.8.22 December 21, 2017 Sudo 1.8.22
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.TH "SUDOERS_TIMESTAMP" "5" "December 19, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS_TIMESTAMP" "5" "December 21, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
\fItimestamp_timeout\fR
option)
\&.
+By default,
\fBsudoers\fR
uses a separate record for each terminal, which means that
a user's login sessions are authenticated separately.
Previously, a separate file was used for each user and terminal
combination unless tty-based time stamps were disabled. The new
format is extensible and records of multiple types and versions may
-co-exist within the same file.
+coexist within the same file.
.PP
All records, regardless of type or version, begin with a 16-bit version
number and a 16-bit record size.
uid_t auth_uid; /* uid to authenticate as */
pid_t sid; /* session ID associated with tty/ppid */
struct timespec start_time; /* session/ppid start time */
- struct timespec ts; /* timestamp (CLOCK_MONOTONIC) */
+ struct timespec ts; /* time stamp (CLOCK_MONOTONIC) */
union {
dev_t ttydev; /* tty device number */
pid_t ppid; /* parent pid */
This helped prevent re-use of the time stamp file after logout.
.TP 6n
1.8.6p7
-The terminal session ID was added to tty-based time stamp files.
-This helped prevent re-use of the time stamp file on systems where
+The terminal session ID was added to tty-based time stamp files to
+prevent re-use of the time stamp by the same user in a different
+terminal session.
+It also helped prevent re-use of the time stamp file on systems where
the terminal device's inode change time was updated by writing.
.TP 6n
1.8.10
.TP 6n
1.8.15
Individual records are locked in the time stamp file instead of the
-entire file.
+entire file and the lock is held until authentication is complete.
.TP 6n
1.8.22
The start time of the terminal session leader or parent process is
now stored in non-global time stamp records.
This prevents re-use of the time stamp file after logout in most cases.
+.sp
+Support was added for the kernel-based tty time stamps available in
+OpenBSD which do not use an on-disk time stamp file.
.SH "SEE ALSO"
sudoers(@mansectform@),
sudo(@mansectsu@)
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd December 19, 2017
+.Dd December 21, 2017
.Dt SUDOERS_TIMESTAMP @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Em timestamp_timeout
option
.Pc .
+By default,
.Nm sudoers
uses a separate record for each terminal, which means that
a user's login sessions are authenticated separately.
Previously, a separate file was used for each user and terminal
combination unless tty-based time stamps were disabled. The new
format is extensible and records of multiple types and versions may
-co-exist within the same file.
+coexist within the same file.
.Pp
All records, regardless of type or version, begin with a 16-bit version
number and a 16-bit record size.
uid_t auth_uid; /* uid to authenticate as */
pid_t sid; /* session ID associated with tty/ppid */
struct timespec start_time; /* session/ppid start time */
- struct timespec ts; /* timestamp (CLOCK_MONOTONIC) */
+ struct timespec ts; /* time stamp (CLOCK_MONOTONIC) */
union {
dev_t ttydev; /* tty device number */
pid_t ppid; /* parent pid */
where it was not updated when the device was written to, the inode change time.
This helped prevent re-use of the time stamp file after logout.
.It 1.8.6p7
-The terminal session ID was added to tty-based time stamp files.
-This helped prevent re-use of the time stamp file on systems where
+The terminal session ID was added to tty-based time stamp files to
+prevent re-use of the time stamp by the same user in a different
+terminal session.
+It also helped prevent re-use of the time stamp file on systems where
the terminal device's inode change time was updated by writing.
.It 1.8.10
A new, multi-record time stamp file format was introduced that uses a
as required by POSIX.
.It 1.8.15
Individual records are locked in the time stamp file instead of the
-entire file.
+entire file and the lock is held until authentication is complete.
.It 1.8.22
The start time of the terminal session leader or parent process is
now stored in non-global time stamp records.
This prevents re-use of the time stamp file after logout in most cases.
+.Pp
+Support was added for the kernel-based tty time stamps available in
+OpenBSD which do not use an on-disk time stamp file.
.El
.Sh SEE ALSO
.Xr sudoers @mansectform@ ,
projects / sudo / commitdiff