The persist feature in OpenBSDs doas(1) uses a new
tty(4) ioctl(2)
which allows to create (TIOCSETVERAUTH), clear (TIOCCLRVERAUTH) and check
(IOCCHKVERAUTH) authentications to the specific TTY with a timeout.
sudo(8) uses timestamp files to avoid having to enter the password repeatedly,
they are bound to the PPID
(Parent process identifier) or TTY number.
After investigating how sudo(8) does it and reading old vulnerabilities in sudo(8),
I was a bit concerned about implementing it, but the quality of life improvements
of not having to enter the password on each command is really nice to have I decided to
implement timestamp files similarly to sudo(8) and avoid all the previous issues sudo(8)
had with it.
One issue I had with timestamp files in sudo(8) was that they were fairly easy to be reuse
on linux, as a PoC (proof of concept) I authenticated my self in a ssh session and used sudo(8),
which created a timestamp file for the specific pseudo tty and the PPID.
Then my PoC would open a new pseudo tty and would be assigned to the one that was free after
the ssh session was closed.
To match the PPID, I just called clone(2) in a loop until I got the previous PPID of the sshd
sub-process.
This then allowed me to reuse the timestamp file from the ssh session and execute sudo(8) from
the PoC without having to enter a password.
When I was thinking about how this could be fixed my Idea was to use the start time, of the TTYs session leader, the start time is a monotonic clock that can only go forwards from the time of boot.
There is no way to get the same TTY/PPID with the same start time of the session leader, other than rebooting the system, but there are other measures to avoid that.
I implemented this in OpenDoas and suggested the sudo(8) maintainers to implement the same
mechanism to avoid this kind of “attack”. Within a few hours it landed in sudo(8) and
every supported operating system sudo(8) supports, has the capability to receive the
start time of a process so this new feature is not only limited to linux.
This new feature was added released sudo(8) 1.8.22 in 2017.