#32: pam_timestamp: default TIMESTAMPDIR no longer matches sudo time stamp
directory
---------------------+------------------------------
Reporter: thoger | Owner: pam-developers@…
Type: defect | Status: new
Priority: minor | Component: modules
Version: | Keywords:
Blocked By: | Blocking:
---------------------+------------------------------
pam_timestamp defaults to using `/var/run/sudo` as its default time stamp
directory. This seems to be for compatibility with sudo. However, that
directory is no longer used by sudo as of version 1.7.4:
http://www.sudo.ws/repos/sudo/rev/8c9440423d98
Starting with sudo 1.7.4, the time stamp files have moved from
/var/run/sudo to either /var/db/sudo, /var/lib/sudo or /var/adm/sudo.
The directories are checked for existence in that order. This
prevents users from receiving the sudo lecture every time the
system reboots. Time stamp files older than the boot time are
ignored on systems where it is possible to determine this.
In Fedora, sudo now uses `/var/db/sudo` directory:
http://pkgs.fedoraproject.org/cgit/sudo.git/commit/?id=e273750
On a quick look, it seems sudo and pam_timestamp now use different time
stamp file content and mode. It seems pam_timestamp assumes sudo times
tamp files are empty, but current sudo versions no longer create empty
files:
https://git.fedorahosted.org/cgit/linux-
pam.git/tree/modules/pam_timestamp/pam_timestamp.c?id=9dcead8#n451
pam_timestamp writes full time stamp file path to the time stamp file,
which does not seem to be done by sudo. I haven't investigated what data
is written by sudo. Also ownership of sudo time stamp file is root:user,
and pam_timestamp expects root:root.
These incompatibility exists with sudo 1.7.2, which still uses
`/var/run/sudo`. It seems this requires more changes and not only change
of `TIMESTAMPDIR` to `/var/db/sudo`.
--
Ticket URL: <
https://fedorahosted.org/linux-pam/ticket/32>
linux-pam <
http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project