Bug 1003189

Summary: sudo: RFE: tie identification and expiration to logind session, not tty
Product: [Fedora] Fedora Reporter: Zbigniew Jędrzejewski-Szmek <zbyszek>
Component: sudoAssignee: Radovan Sroka <rsroka>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: kzak, rsroka
Target Milestone: ---Keywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-05 13:12:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zbigniew Jędrzejewski-Szmek 2013-08-31 16:23:28 UTC 
Description of problem:
If I have two terminal emulators open, in the same X instance, sudo will ask for each password separately. If sudo could somehow know that this is the same session (in the X sense, and in the systemd-logind sense), that would be great.
Security wouldn't be diminished, because if somebody/something can write to one pty, it can write to the other one just as well.

Also, sudo should expire the authentication tickets based on the logind session inactivity, as exposed by the IdleHintSince property of session objects
(see Session Objects in http://www.freedesktop.org/wiki/Software/systemd/logind/). If I'm reading documentation in one window, and "confirm" my presence by scrolling every few minutes, than the sudo session in one of the windows would not expire.

Those two changes would improve administrator's experience with more complicated tasks when multiple windows are open. I hope that the logind1 dbus api is sufficient. If not, than we can certainly extend it so that it suffices for this use case, because certianly other similar ones will appear.

Version-Release number of selected component (if applicable):
sudo-1.8.6p7-1.fc19.armv7hl
Comment 1 Radovan Sroka 2016-07-27 11:18:26 UTC 
I'm not sure what you really want.

Try to disable tty_tickets in sudoers, I think it would be sufficient.
Comment 2 Zbigniew Jędrzejewski-Szmek 2016-07-27 12:47:55 UTC 
With tty_tickets disabled, I'd get a single ticket per user, which is too broad. With tty_tickets enabled, I get asked for a password in every tab of gnome-terminal, which gives me no additional security but is annoying. I guess that despite the name it's asking once per pty.

I'm asking for the sudo authentication to be tied to an actual login session, as registered by logind. In that case I'd get separate authentication for logins on different physical seats and kernel ttys, much more meaningful.
Comment 3 Radovan Sroka 2019-09-05 13:12:57 UTC 
If you really want this feature, propose the ticket on upstream bugzilla https://bugzilla.sudo.ws/index.cgi.

As a part of cleanup I'm closing this bugzilla.