Bug 1003189 - sudo: RFE: tie identification and expiration to logind session, not tty
Summary: sudo: RFE: tie identification and expiration to logind session, not tty
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: sudo
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Radovan Sroka
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-31 16:23 UTC by Zbigniew Jędrzejewski-Szmek
Modified: 2019-09-05 13:12 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-09-05 13:12:57 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Zbigniew Jędrzejewski-Szmek 2013-08-31 16:23:28 UTC
Description of problem:
If I have two terminal emulators open, in the same X instance, sudo will ask for each password separately. If sudo could somehow know that this is the same session (in the X sense, and in the systemd-logind sense), that would be great.
Security wouldn't be diminished, because if somebody/something can write to one pty, it can write to the other one just as well.

Also, sudo should expire the authentication tickets based on the logind session inactivity, as exposed by the IdleHintSince property of session objects
(see Session Objects in http://www.freedesktop.org/wiki/Software/systemd/logind/). If I'm reading documentation in one window, and "confirm" my presence by scrolling every few minutes, than the sudo session in one of the windows would not expire.

Those two changes would improve administrator's experience with more complicated tasks when multiple windows are open. I hope that the logind1 dbus api is sufficient. If not, than we can certainly extend it so that it suffices for this use case, because certianly other similar ones will appear.

Version-Release number of selected component (if applicable):
sudo-1.8.6p7-1.fc19.armv7hl

Comment 1 Radovan Sroka 2016-07-27 11:18:26 UTC
I'm not sure what you really want.

Try to disable tty_tickets in sudoers, I think it would be sufficient.

Comment 2 Zbigniew Jędrzejewski-Szmek 2016-07-27 12:47:55 UTC
With tty_tickets disabled, I'd get a single ticket per user, which is too broad. With tty_tickets enabled, I get asked for a password in every tab of gnome-terminal, which gives me no additional security but is annoying. I guess that despite the name it's asking once per pty.

I'm asking for the sudo authentication to be tied to an actual login session, as registered by logind. In that case I'd get separate authentication for logins on different physical seats and kernel ttys, much more meaningful.

Comment 3 Radovan Sroka 2019-09-05 13:12:57 UTC
If you really want this feature, propose the ticket on upstream bugzilla https://bugzilla.sudo.ws/index.cgi.

As a part of cleanup I'm closing this bugzilla.


Note You need to log in before you can comment on or make changes to this bug.