From 740a4798067408909907d13e955c93110a1e0f20 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 21 Dec 2017 14:37:13 -0700 Subject: [PATCH] The session ID was added in 1.8.6p7 to prevent a user in another session from re-using the time stamp file. Other minor cleanups. --- doc/sudoers_timestamp.cat | 27 ++++++++++++++++----------- doc/sudoers_timestamp.man.in | 18 ++++++++++++------ doc/sudoers_timestamp.mdoc.in | 18 ++++++++++++------ 3 files changed, 40 insertions(+), 23 deletions(-) diff --git a/doc/sudoers_timestamp.cat b/doc/sudoers_timestamp.cat index 6189f5e04..fd1347c0d 100644 --- a/doc/sudoers_timestamp.cat +++ b/doc/sudoers_timestamp.cat @@ -7,16 +7,16 @@ DDEESSCCRRIIPPTTIIOONN The ssuuddooeerrss plugin uses per-user time stamp files for credential caching. Once a user has been authenticated, they may use ssuuddoo without a password for a short period of time (5 minutes unless overridden by the - _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t option). ssuuddooeerrss uses a separate record for each - terminal, which means that a user's login sessions are authenticated - separately. The _t_i_m_e_s_t_a_m_p___t_y_p_e option can be used to select the type of - time stamp record ssuuddooeerrss will use. + _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t option). By default, ssuuddooeerrss uses a separate record + for each terminal, which means that a user's login sessions are + authenticated separately. The _t_i_m_e_s_t_a_m_p___t_y_p_e option can be used to + select the type of time stamp record ssuuddooeerrss will use. A multi-record time stamp file format was introduced in ssuuddoo 1.8.10 that uses a single file per user. Previously, a separate file was used for each user and terminal combination unless tty-based time stamps were disabled. The new format is extensible and records of multiple types and - versions may co-exist within the same file. + versions may coexist within the same file. All records, regardless of type or version, begin with a 16-bit version number and a 16-bit record size. @@ -41,7 +41,7 @@ DDEESSCCRRIIPPTTIIOONN uid_t auth_uid; /* uid to authenticate as */ pid_t sid; /* session ID associated with tty/ppid */ struct timespec start_time; /* session/ppid start time */ - struct timespec ts; /* timestamp (CLOCK_MONOTONIC) */ + struct timespec ts; /* time stamp (CLOCK_MONOTONIC) */ union { dev_t ttydev; /* tty device number */ pid_t ppid; /* parent pid */ @@ -145,9 +145,11 @@ HHIISSTTOORRYY prevent re-use of the time stamp file after logout. 1.8.6p7 - The terminal session ID was added to tty-based time stamp files. - This helped prevent re-use of the time stamp file on systems where - the terminal device's inode change time was updated by writing. + The terminal session ID was added to tty-based time stamp files to + prevent re-use of the time stamp by the same user in a different + terminal session. It also helped prevent re-use of the time stamp + file on systems where the terminal device's inode change time was + updated by writing. 1.8.10 A new, multi-record time stamp file format was introduced that uses @@ -157,13 +159,16 @@ HHIISSTTOORRYY 1.8.15 Individual records are locked in the time stamp file instead of the - entire file. + entire file and the lock is held until authentication is complete. 1.8.22 The start time of the terminal session leader or parent process is now stored in non-global time stamp records. This prevents re-use of the time stamp file after logout in most cases. + Support was added for the kernel-based tty time stamps available in + OpenBSD which do not use an on-disk time stamp file. + SSEEEE AALLSSOO sudoers(4), sudo(1m) @@ -193,4 +198,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.22 December 19, 2017 Sudo 1.8.22 +Sudo 1.8.22 December 21, 2017 Sudo 1.8.22 diff --git a/doc/sudoers_timestamp.man.in b/doc/sudoers_timestamp.man.in index ca1005e07..a7ea40ec5 100644 --- a/doc/sudoers_timestamp.man.in +++ b/doc/sudoers_timestamp.man.in @@ -16,7 +16,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.TH "SUDOERS_TIMESTAMP" "5" "December 19, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS_TIMESTAMP" "5" "December 21, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -34,6 +34,7 @@ minutes unless overridden by the \fItimestamp_timeout\fR option) \&. +By default, \fBsudoers\fR uses a separate record for each terminal, which means that a user's login sessions are authenticated separately. @@ -49,7 +50,7 @@ A multi-record time stamp file format was introduced in Previously, a separate file was used for each user and terminal combination unless tty-based time stamps were disabled. The new format is extensible and records of multiple types and versions may -co-exist within the same file. +coexist within the same file. .PP All records, regardless of type or version, begin with a 16-bit version number and a 16-bit record size. @@ -76,7 +77,7 @@ struct timestamp_entry { uid_t auth_uid; /* uid to authenticate as */ pid_t sid; /* session ID associated with tty/ppid */ struct timespec start_time; /* session/ppid start time */ - struct timespec ts; /* timestamp (CLOCK_MONOTONIC) */ + struct timespec ts; /* time stamp (CLOCK_MONOTONIC) */ union { dev_t ttydev; /* tty device number */ pid_t ppid; /* parent pid */ @@ -249,8 +250,10 @@ where it was not updated when the device was written to, the inode change time. This helped prevent re-use of the time stamp file after logout. .TP 6n 1.8.6p7 -The terminal session ID was added to tty-based time stamp files. -This helped prevent re-use of the time stamp file on systems where +The terminal session ID was added to tty-based time stamp files to +prevent re-use of the time stamp by the same user in a different +terminal session. +It also helped prevent re-use of the time stamp file on systems where the terminal device's inode change time was updated by writing. .TP 6n 1.8.10 @@ -262,12 +265,15 @@ as required by POSIX. .TP 6n 1.8.15 Individual records are locked in the time stamp file instead of the -entire file. +entire file and the lock is held until authentication is complete. .TP 6n 1.8.22 The start time of the terminal session leader or parent process is now stored in non-global time stamp records. This prevents re-use of the time stamp file after logout in most cases. +.sp +Support was added for the kernel-based tty time stamps available in +OpenBSD which do not use an on-disk time stamp file. .SH "SEE ALSO" sudoers(@mansectform@), sudo(@mansectsu@) diff --git a/doc/sudoers_timestamp.mdoc.in b/doc/sudoers_timestamp.mdoc.in index e2f0d076e..1da8471c9 100644 --- a/doc/sudoers_timestamp.mdoc.in +++ b/doc/sudoers_timestamp.mdoc.in @@ -14,7 +14,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd December 19, 2017 +.Dd December 21, 2017 .Dt SUDOERS_TIMESTAMP @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -33,6 +33,7 @@ minutes unless overridden by the .Em timestamp_timeout option .Pc . +By default, .Nm sudoers uses a separate record for each terminal, which means that a user's login sessions are authenticated separately. @@ -48,7 +49,7 @@ A multi-record time stamp file format was introduced in Previously, a separate file was used for each user and terminal combination unless tty-based time stamps were disabled. The new format is extensible and records of multiple types and versions may -co-exist within the same file. +coexist within the same file. .Pp All records, regardless of type or version, begin with a 16-bit version number and a 16-bit record size. @@ -73,7 +74,7 @@ struct timestamp_entry { uid_t auth_uid; /* uid to authenticate as */ pid_t sid; /* session ID associated with tty/ppid */ struct timespec start_time; /* session/ppid start time */ - struct timespec ts; /* timestamp (CLOCK_MONOTONIC) */ + struct timespec ts; /* time stamp (CLOCK_MONOTONIC) */ union { dev_t ttydev; /* tty device number */ pid_t ppid; /* parent pid */ @@ -229,8 +230,10 @@ This included the terminal device numbers, inode number and, on systems where it was not updated when the device was written to, the inode change time. This helped prevent re-use of the time stamp file after logout. .It 1.8.6p7 -The terminal session ID was added to tty-based time stamp files. -This helped prevent re-use of the time stamp file on systems where +The terminal session ID was added to tty-based time stamp files to +prevent re-use of the time stamp by the same user in a different +terminal session. +It also helped prevent re-use of the time stamp file on systems where the terminal device's inode change time was updated by writing. .It 1.8.10 A new, multi-record time stamp file format was introduced that uses a @@ -240,11 +243,14 @@ systems now update the change time after a write is performed as required by POSIX. .It 1.8.15 Individual records are locked in the time stamp file instead of the -entire file. +entire file and the lock is held until authentication is complete. .It 1.8.22 The start time of the terminal session leader or parent process is now stored in non-global time stamp records. This prevents re-use of the time stamp file after logout in most cases. +.Pp +Support was added for the kernel-based tty time stamps available in +OpenBSD which do not use an on-disk time stamp file. .El .Sh SEE ALSO .Xr sudoers @mansectform@ , -- 2.40.0