#32: pam_timestamp: default TIMESTAMPDIR no longer matches sudo time stamp directory ---------------------+------------------------------ Reporter: thoger | Owner: pam-developers@… Type: defect | Status: new Priority: minor | Component: modules Version: | Keywords: Blocked By: | Blocking: ---------------------+------------------------------ pam_timestamp defaults to using `/var/run/sudo` as its default time stamp directory. This seems to be for compatibility with sudo. However, that directory is no longer used by sudo as of version 1.7.4: http://www.sudo.ws/repos/sudo/rev/8c9440423d98 Starting with sudo 1.7.4, the time stamp files have moved from /var/run/sudo to either /var/db/sudo, /var/lib/sudo or /var/adm/sudo. The directories are checked for existence in that order. This prevents users from receiving the sudo lecture every time the system reboots. Time stamp files older than the boot time are ignored on systems where it is possible to determine this. In Fedora, sudo now uses `/var/db/sudo` directory: http://pkgs.fedoraproject.org/cgit/sudo.git/commit/?id=e273750 On a quick look, it seems sudo and pam_timestamp now use different time stamp file content and mode. It seems pam_timestamp assumes sudo times tamp files are empty, but current sudo versions no longer create empty files: https://git.fedorahosted.org/cgit/linux- pam.git/tree/modules/pam_timestamp/pam_timestamp.c?id=9dcead8#n451 pam_timestamp writes full time stamp file path to the time stamp file, which does not seem to be done by sudo. I haven't investigated what data is written by sudo. Also ownership of sudo time stamp file is root:user, and pam_timestamp expects root:root. These incompatibility exists with sudo 1.7.2, which still uses `/var/run/sudo`. It seems this requires more changes and not only change of `TIMESTAMPDIR` to `/var/db/sudo`. -- Ticket URL: <https://fedorahosted.org/linux-pam/ticket/32> linux-pam <http://fedorahosted.org/linux-pam> The Linux-PAM (Pluggable Authentication Modules) project