5

The basis for this question is this answer. In the sudoers man-page it is stated that:

timestamp_timeout

Number of minutes that can elapse before sudo will ask for a passwd again.

...

This can be used to allow users to create or delete their own time stamps via “sudo -v” and “sudo -k” respectively.

What is actually referred to here in the last sentence regarding the create?

This can be used to allow users to create ... their own time stamps via “sudo -v” ....

The sudo -v command already exists and is not dependent on timestamp_timeout as far as I can see. So where and how is that information in the man-page helping? What would be a practical usecase?

UlfR
  • 248
  • 3
  • 8

1 Answers1

11

From the sudo manpage:

-v, --validate
     Update the user's cached credentials, authenticating the user
     if necessary.  For the sudoers plugin, this extends the sudo
     timeout for another 15 minutes by default, but does not run a
     command.  Not all security policies support cached
     credentials.

Assuming a timeout is allowed for sudo (timestamp_timeout is greater zero), a long running script that repeatedly uses sudo can run sudo -v in a loop in the background, so that the user only has to authenticate to sudo once, at the start of the script. The background sudo -v loop will then keep extending the timeout (each time creating a newer timestamp). I have seen software installation scripts that need to invoke sudo a few times, each step potentially taking a long time to complete due to downloading, use sudo -v in this fashion.

muru
  • 72,889