NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
recent strange sudo behavior, probably due to /dev/pts
My system is netbsd-10. It was installed around 2003 and has been
updated since then, both to each NetBSD stable branch, and to new disks
usually via dump/restore and sometimes rsync. Other than the problem I
am describing in this message, occasional hangs that I blame on ZFS, and
X display glitches, it is working well.
I have logged in to ttyE0, and ran "xinit .xsession" which starts xfce4
and I am in an xterm with tmux.
I had recently noticed that my system did not have /dev/pts, so I grabbed
the line from /etc/fstab on a more recenntly-installed system. I then
removed the /dev/ttyp* type entries. This messed up tmux but logging
out and starting fresh was ok, and this was not surprising. Now the
system is apparently ok execpt for sudo/pkgsrc.
I have for a long time had in mk.conf:
SU_CMD=sudo /bin/sh -c
and "make replace" has invoked sudo, with sudo respecting the
don't-ask-for-password timer as documented. Recently this stopped
working.
After a lot of investigating including writing a quick read/printf
program to examine the sudo timestamp files, the problem appears to be
that the timestamp records are "TS_PPID" rather than "TS_TTY". The
parent is something deep in make, and thus different every time. So
this is not really a pkgsrc issue.
I have added:
Defaults timestamp_type=tty
Has anyone else seen sudo refusing to use tty as a timestamp type?
sudoers(5) excerpt:
timestamp_type sudoers uses per-user time stamp files for credential
caching. The timestamp_type option can be used to
specify the type of time stamp record used. It has the
following possible values:
global A single time stamp record is used for all of a
user's login sessions, regardless of the
terminal or parent process ID. An additional
record is used to serialize password prompts
when sudo is used multiple times in a pipeline,
but this does not affect authentication.
ppid A single time stamp record is used for all
processes with the same parent process ID
(usually the shell). Commands run from the
same shell (or other common parent process)
will not require a password for
timestamp_timeout minutes (5 by default).
Commands run via sudo with a different parent
process ID, for example from a shell script,
will be authenticated separately.
tty One time stamp record is used for each
terminal, which means that a user's login
sessions are authenticated separately. If no
terminal is present, the behavior is the same
as ppid. Commands run from the same terminal
will not require a password for
timestamp_timeout minutes (5 by default).
kernel The time stamp is stored in the kernel as an
attribute of the terminal device. If no
terminal is present, the behavior is the same
as ppid. Negative timestamp_timeout values are
not supported and positive values are limited
to a maximum of 60 minutes. This is currently
only supported on OpenBSD.
The default value is tty.
This setting is only supported by version 1.8.21 or
higher.
Home |
Main Index |
Thread Index |
Old Index