Bug 1003189 - sudo: RFE: tie identification and expiration to logind session, not tty
sudo: RFE: tie identification and expiration to logind session, not tty
Status: NEW
Product: Fedora
Classification: Fedora
Component: sudo (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Radovan Sroka
Fedora Extras Quality Assurance
: FutureFeature, Triaged
Depends On:
  Show dependency treegraph
Reported: 2013-08-31 12:23 EDT by Zbigniew Jędrzejewski-Szmek
Modified: 2018-01-30 22:35 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Zbigniew Jędrzejewski-Szmek 2013-08-31 12:23:28 EDT
Description of problem:
If I have two terminal emulators open, in the same X instance, sudo will ask for each password separately. If sudo could somehow know that this is the same session (in the X sense, and in the systemd-logind sense), that would be great.
Security wouldn't be diminished, because if somebody/something can write to one pty, it can write to the other one just as well.

Also, sudo should expire the authentication tickets based on the logind session inactivity, as exposed by the IdleHintSince property of session objects
(see Session Objects in http://www.freedesktop.org/wiki/Software/systemd/logind/). If I'm reading documentation in one window, and "confirm" my presence by scrolling every few minutes, than the sudo session in one of the windows would not expire.

Those two changes would improve administrator's experience with more complicated tasks when multiple windows are open. I hope that the logind1 dbus api is sufficient. If not, than we can certainly extend it so that it suffices for this use case, because certianly other similar ones will appear.

Version-Release number of selected component (if applicable):
Comment 1 Radovan Sroka 2016-07-27 07:18:26 EDT
I'm not sure what you really want.

Try to disable tty_tickets in sudoers, I think it would be sufficient.
Comment 2 Zbigniew Jędrzejewski-Szmek 2016-07-27 08:47:55 EDT
With tty_tickets disabled, I'd get a single ticket per user, which is too broad. With tty_tickets enabled, I get asked for a password in every tab of gnome-terminal, which gives me no additional security but is annoying. I guess that despite the name it's asking once per pty.

I'm asking for the sudo authentication to be tied to an actual login session, as registered by logind. In that case I'd get separate authentication for logins on different physical seats and kernel ttys, much more meaningful.

Note You need to log in before you can comment on or make changes to this bug.