Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
A time limit (lifecycle limit) is a good idea!
Missing in sudo.
How about Linux polkit, does it support expiration?
Authorization expires in sudo, see the timestamp_timeout and timeout_spec options. But do you mean limiting authorization to particular hours in the day? Polkit does not have the granularity to be other than a dangerous backdoor at the moment.
I don't mean a authentication caching time.
And not a work hours restriction.
Following scenario:
in an enterprise environment there is a security policy to time-limit each granted privilege (sudo or RBAC), say from 1 day up to 1 year.
Entries in sudoers do not have an end date.
So a complex tool is required that tracks the entries and removes them if expired.
I'd expect that you'd do that with groups in /etc/sudoers and then add the account to the group for a while, removing the account from that group when their time is up.
I'd expect that you'd do that with groups in /etc/sudoers and then add the account to the group for a while, removing the account from that group when their time is up.
that is not the same. A user may have permission to execute one or more commands, and the permission may expire only on some, not all.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.