You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/man/sudoers.5.md
+7-7
Original file line number
Diff line number
Diff line change
@@ -16,7 +16,7 @@ The format used by sudo-rs is a subset of the one used by the sudo-project as ma
16
16
17
17
The sudoers security policy requires that most users authenticate themselves before they can use sudo. A password is not required if the invoking user is root, if the target user is the same as the invoking user, or if the policy has disabled authentication for the user or command. Unlike `su`, when `sudo-rs` requires authentication, it validates the invoking user's credentials, not the target user's (or root's) credentials. This can be changed via the *rootpw* flag, described later.
18
18
19
-
`sudo-rs` uses per-user time stamp files for credential caching. Once a user has been authenticated, a record is written containing the user-ID that was used to authenticate, the terminal session ID, the start time of the session leader (or parent process) and a time stamp (using a monotonic clock if one is available). The user may then use sudo without a password for a short period of time (15 minutes unless overridden by the timestamp_timeout option). By default, `sudo-rs` uses a separate record for each terminal, which means that a user's login sessions are authenticated separately. The timestamp_type option can be used to select the type of time stamp record sudoers will use.
19
+
`sudo-rs` uses per-user timestamp files for credential caching. Once a user has been authenticated, a record is written containing the user-ID that was used to authenticate, the terminal session ID, the start time of the session leader (or parent process) and a timestamp (using a monotonic clock if one is available). The user may then use sudo without a password for a short period of time (15 minutes unless overridden by the timestamp_timeout option). By default, `sudo-rs` uses a separate record for each terminal, which means that a user's login sessions are authenticated separately. The timestamp_type option can be used to select the type of timestamp record sudoers will use.
20
20
21
21
## Logging
22
22
@@ -368,7 +368,7 @@ sudo's behavior can be modified by Default_Entry lines, as explained earlier. A
368
368
369
369
* timestamp_timeout
370
370
371
-
Number of minutes that can elapse before sudo will ask for a passwd again. The timeout may include a fractional component if minute granularity is insufficient, for example 2.5. The default is 15. Set this to 0 to always prompt for a password. If set to a value less than 0 the user's time stamp will not expire until the system is rebooted. This can be used to allow users to create or delete their own time stamps via “sudo -v” and “sudo -k” respectively.
371
+
Number of minutes that can elapse before sudo will ask for a passwd again. The timeout may include a fractional component if minute granularity is insufficient, for example 2.5. The default is 15. Set this to 0 to always prompt for a password. If set to a value less than 0 the user's timestamp will not expire until the system is rebooted. This can be used to allow users to create or delete their own timestamps via “sudo -v” and “sudo -k” respectively.
372
372
373
373
## Strings that can be used in a boolean context:
374
374
@@ -408,7 +408,7 @@ sudo-rs logs events via syslog(3).
408
408
409
409
/etc/sudoers List of who can run what (sudo-compatible)
410
410
411
-
/run/sudo/ts Directory containing time stamps for the sudoers security policy
411
+
/run/sudo/ts Directory containing timestamps for the sudoers security policy
412
412
413
413
## SECURITY NOTES
414
414
@@ -439,13 +439,13 @@ Once sudo executes a program, that program is free to do whatever it pleases, in
439
439
440
440
sudo-rs currently doesn't offer Todd Miller's sudo's protection mechanisms; i.e. be very careful that when a user is not supposed to receive shell access, that the commands that they have access to does not allow escaping to the shell.
441
441
442
-
### Time stamp file checks
442
+
### Timestamp file checks
443
443
444
-
sudo-rs will check the ownership of its time stamp directory (/run/sudo/ts by default) and ignore the directory's contents if it is not owned by root or if it is writable by a user other than root.
444
+
sudo-rs will check the ownership of its timestamp directory (/run/sudo/ts by default) and ignore the directory's contents if it is not owned by root or if it is writable by a user other than root.
445
445
446
-
While the time stamp directory should be cleared at reboot time, to avoid potential problems, sudo-rs will ignore time stamp files that date from before the machine booted on systems where the boot time is available.
446
+
While the timestamp directory should be cleared at reboot time, to avoid potential problems, sudo-rs will ignore timestamp files that date from before the machine booted on systems where the boot time is available.
447
447
448
-
Some systems with graphical desktop environments allow unprivileged users to change the system clock. Since sudo-rs relies on the system clock for time stamp validation, it may be possible on such systems for a user to run sudo for longer than *timestamp_timeout* by setting the clock back. To combat this, `sudo-rs` uses a monotonic clock (which never moves backwards) for its time stamps if the system supports it. sudo-rs will not honor time stamps set far in the future.
448
+
Some systems with graphical desktop environments allow unprivileged users to change the system clock. Since sudo-rs relies on the system clock for timestamp validation, it may be possible on such systems for a user to run sudo for longer than *timestamp_timeout* by setting the clock back. To combat this, `sudo-rs` uses a monotonic clock (which never moves backwards) for its timestamps if the system supports it. sudo-rs will not honor timestamps set far in the future.
0 commit comments