Bug 225265

Summary: Lack of monotonic clock prolongs the default sudo 5 minutes password caching as long as suspend lasts
Product: Base System Reporter: Schultz <postutdelning>
Component: miscAssignee: freebsd-bugs (Nobody) <bugs>
Status: New ---    
Severity: Affects Only Me CC: emaste
Priority: ---    
Version: 11.1-RELEASE   
Hardware: amd64   
OS: Any   

Description Schultz 2018-01-17 16:32:52 UTC 
The five minute caching period of the password in sudo is prolonged when the laptop is suspended. For example: In the terminal I issue a command with sudo, I enter my password, one minute later I suspend the laptop, after one hour I resume and still can issue sudo cammands without being asked for my password for the rest of the five minutes that remained from before suspending.

Freebsd 11.1-RELEASE  64bit
Laptop: Thinkpad x220

Sudo is used with defaults, except group wheel can issue any command.

Expected bahaviour: The suspend-time should count for the caching period or maybe even stop the caching of the password immediately.

Originally I have reported a bug directly to the sudo bugzilla:
https://bugzilla.sudo.ws/show_bug.cgi?id=779

But as can be seen in the comments Todd C. Miller answered:

"FreeBSD doesn't appear to have a monotonic clock that runs while the machine is suspended.  The choice is between using a clock that can run backward, potentially defeating the point of the timestamp file, or one that cannot run backward but that is not incremented while suspended.

Currently, sudo uses the second option.  On most other systems, the monotonic clock either runs while suspended or an alternate clock is available which does.  I consider this a FreeBSD failing, rather than a sudo one."