Sudo

A time limit (lifecycle limit) is a good idea!
Missing in sudo.
How about Linux polkit, does it support expiration?

Quote:

Originally Posted by MadeInGermany How about Linux polkit, does it support expiration?

It supports it but I think it's up to the sysadmin whether the authentication expires for a particular case or not.

I was under the impression that sudo passwords expire after a few minutes unless reused. Is that no longer the case?

Quote:

Originally Posted by hazel It supports it but I think it's up to the sysadmin whether the authentication expires for a particular case or not. I was under the impression that sudo passwords expire after a few minutes unless reused. Is that no longer the case?

it is a different case. The password itself will be completely useless, expired. Not the current session.

Quote:

Originally Posted by MadeInGermany A time limit (lifecycle limit) is a good idea! Missing in sudo. How about Linux polkit, does it support expiration?

Authorization expires in sudo, see the timestamp_timeout and timeout_spec options. But do you mean limiting authorization to particular hours in the day? Polkit does not have the granularity to be other than a dangerous backdoor at the moment.

I don't mean a authentication caching time.
And not a work hours restriction.

Following scenario:
in an enterprise environment there is a security policy to time-limit each granted privilege (sudo or RBAC), say from 1 day up to 1 year.

Entries in sudoers do not have an end date.
So a complex tool is required that tracks the entries and removes them if expired.

I'd expect that you'd do that with groups in /etc/sudoers and then add the account to the group for a while, removing the account from that group when their time is up.

Quote:

Originally Posted by Turbocapitalist I'd expect that you'd do that with groups in /etc/sudoers and then add the account to the group for a while, removing the account from that group when their time is up.

that is not the same. A user may have permission to execute one or more commands, and the permission may expire only on some, not all.

Quote:

Originally Posted by pan64 that is not the same. A user may have permission to execute one or more commands, and the permission may expire only on some, not all.

Though it is also likely I am not seeing the whole picture, I would still see that as an extension of group access. e.g.

Code:

Cmnd_Alias WEB = /usr/sbin/apache2ctl graceful, /usr/sbin/apache2ctl start, /usr/sbin/apache2ctl stop
. . .
%web-01 ALL=(root:root) WEB
%db-02 ALL=(root:root) ...
%user-03 ALL=(root:root) ...
. . .

Then

Code:

echo 'sed -i.bak -e "s/^%pan64-01/# &/" /etc/sudoers"; \
    gpasswd -d pan64 web-01;' \
        at -t 202405102200

Or something like that.