Re: recent strange sudo behavior, probably due to /dev/pts

[tlaronde%kergis.com@localhost]

On Fri, Nov 17, 2023 at 10:50:19AM -0500, Greg Troxel wrote:
> My system is netbsd-10.  It was installed around 2003 and has been
> updated since then, both to each NetBSD stable branch, and to new disks
> usually via dump/restore and sometimes rsync.  Other than the problem I
> am describing in this message, occasional hangs that I blame on ZFS, and
> X display glitches, it is working well.
> 
> I have logged in to ttyE0, and ran "xinit .xsession" which starts xfce4
> and I am in an xterm with tmux.
> 
> I had recently noticed that my system did not have /dev/pts, so I grabbed
> the line from /etc/fstab on a more recenntly-installed system.  I then
> removed the /dev/ttyp* type entries.  This messed up tmux but logging
> out and starting fresh was ok, and this was not surprising.  Now the
> system is apparently ok execpt for sudo/pkgsrc.
> 
> I have for a long time had in mk.conf:
> 
>   SU_CMD=sudo /bin/sh -c
> 
> and "make replace" has invoked sudo, with sudo respecting the
> don't-ask-for-password timer as documented.  Recently this stopped
> working.
> 
> After a lot of investigating including writing a quick read/printf
> program to examine the sudo timestamp files, the problem appears to be
> that the timestamp records are "TS_PPID" rather than "TS_TTY".  The
> parent is something deep in make, and thus different every time.  So
> this is not really a pkgsrc issue.
> 
> I have added:
>   Defaults timestamp_type=tty
> 
> 
> Has anyone else seen sudo refusing to use tty as a timestamp type?
> 
> 
> sudoers(5) excerpt:
> 
>      timestamp_type    sudoers uses per-user time stamp files for credential
>                        caching.  The timestamp_type option can be used to
>                        specify the type of time stamp record used.  It has the
>                        following possible values:
> 
>                        global  A single time stamp record is used for all of a
>                                user's login sessions, regardless of the
>                                terminal or parent process ID.  An additional
>                                record is used to serialize password prompts
>                                when sudo is used multiple times in a pipeline,
>                                but this does not affect authentication.
> 
>                        ppid    A single time stamp record is used for all
>                                processes with the same parent process ID
>                                (usually the shell).  Commands run from the
>                                same shell (or other common parent process)
>                                will not require a password for
>                                timestamp_timeout minutes (5 by default).
>                                Commands run via sudo with a different parent
>                                process ID, for example from a shell script,
>                                will be authenticated separately.
> 
>                        tty     One time stamp record is used for each
>                                terminal, which means that a user's login
>                                sessions are authenticated separately.  If no
>                                terminal is present, the behavior is the same
>                                as ppid.  Commands run from the same terminal
>                                will not require a password for
>                                timestamp_timeout minutes (5 by default).


FWIW: In the "tty" entry there is: "If no terminal is present, the behavior
is the same ass ppid." Could it be that the tmux instances are not
recognized as terminal / tty anymore ?

In doc/CHANGES:

	tmux(1): Import version 3.3a [wiz 20230628]

-- 
        Thierry Laronde <tlaronde +AT+ kergis +dot+ com>
                     http://www.kergis.com/
                    http://kertex.kergis.com/
Key fingerprint = 0FF7 E906 FBAF FE95 FD89  250D 52B1 AE95 6006 F40C