Bug 225265 - Lack of monotonic clock prolongs the default sudo 5 minutes password caching as long as suspend lasts
Summary: Lack of monotonic clock prolongs the default sudo 5 minutes password caching ...
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: misc (show other bugs)
Version: 11.1-RELEASE
Hardware: amd64 Any
: --- Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-17 16:32 UTC by Schultz
Modified: 2018-01-20 00:26 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Schultz 2018-01-17 16:32:52 UTC
The five minute caching period of the password in sudo is prolonged when the laptop is suspended. For example: In the terminal I issue a command with sudo, I enter my password, one minute later I suspend the laptop, after one hour I resume and still can issue sudo cammands without being asked for my password for the rest of the five minutes that remained from before suspending.

Freebsd 11.1-RELEASE  64bit
Laptop: Thinkpad x220

Sudo is used with defaults, except group wheel can issue any command.

Expected bahaviour: The suspend-time should count for the caching period or maybe even stop the caching of the password immediately.

Originally I have reported a bug directly to the sudo bugzilla:
https://bugzilla.sudo.ws/show_bug.cgi?id=779

But as can be seen in the comments Todd C. Miller answered:

"FreeBSD doesn't appear to have a monotonic clock that runs while the machine is suspended.  The choice is between using a clock that can run backward, potentially defeating the point of the timestamp file, or one that cannot run backward but that is not incremented while suspended.

Currently, sudo uses the second option.  On most other systems, the monotonic clock either runs while suspended or an alternate clock is available which does.  I consider this a FreeBSD failing, rather than a sudo one."