Add a command line option to specify the command timeout, as long

as sudoers does not specify a shorter time limit.

doc/sudo.cat

@@ -9,10 +9,10 @@ SSYYNNOOPPSSIISS
      ssuuddoo --ll [--AAkknnSS] [--aa _t_y_p_e] [--gg _g_r_o_u_p] [--hh _h_o_s_t] [--pp _p_r_o_m_p_t] [--UU _u_s_e_r]
           [--uu _u_s_e_r] [_c_o_m_m_a_n_d]
      ssuuddoo [--AAbbEEHHnnPPSS] [--aa _t_y_p_e] [--CC _n_u_m] [--cc _c_l_a_s_s] [--gg _g_r_o_u_p] [--hh _h_o_s_t]
-          [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e] [--uu _u_s_e_r] [_V_A_R=_v_a_l_u_e] [--ii | --ss]
-          [_c_o_m_m_a_n_d]
+          [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e] [--TT _t_i_m_e_o_u_t] [--uu _u_s_e_r] [_V_A_R=_v_a_l_u_e]
+          [--ii | --ss] [_c_o_m_m_a_n_d]
      ssuuddooeeddiitt [--AAkknnSS] [--aa _t_y_p_e] [--CC _n_u_m] [--cc _c_l_a_s_s] [--gg _g_r_o_u_p] [--hh _h_o_s_t]
-              [--pp _p_r_o_m_p_t] [--uu _u_s_e_r] _f_i_l_e _._._.
+              [--pp _p_r_o_m_p_t] [--TT _t_i_m_e_o_u_t] [--uu _u_s_e_r] _f_i_l_e _._._.
 
 DDEESSCCRRIIPPTTIIOONN
      ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or
@@ -293,6 +293,13 @@ DDEESSCCRRIIPPTTIIOONN
                  _s_u_d_o_e_r_s policy only allows root or a user with the ALL
                  privilege on the current host to use this option.
 
+     --TT _t_i_m_e_o_u_t, ----ccoommmmaanndd--ttiimmeeoouutt=_t_i_m_e_o_u_t
+                 Used to set a timeout for the command.  If the timeout
+                 expires before the command has exited, the command will be
+                 terminated.  The security policy may restrict the ability to
+                 set command timeouts.  The _s_u_d_o_e_r_s policy requires that user-
+                 specified timeouts be explicitly enabled.
+
      --uu _u_s_e_r, ----uusseerr=_u_s_e_r
                  Run the command as a user other than the default target user
                  (usually _r_o_o_t).  The _u_s_e_r may be either a user name or a
@@ -621,4 +628,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or https://www.sudo.ws/license.html for
      complete details.
 
-Sudo 1.8.19                    January 19, 2016                    Sudo 1.8.19
+Sudo 1.8.20                    February 16, 2017                   Sudo 1.8.20

doc/sudo.man.in

@@ -1,7 +1,7 @@
 .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
 .\" IT IS GENERATED AUTOMATICALLY FROM sudo.mdoc.in
 .\"
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2016
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2017
 .\"	Todd C. Miller <Todd.Miller@courtesan.com>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDO" "8" "January 19, 2016" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
+.TH "SUDO" "8" "February 16, 2017" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -66,6 +66,7 @@
 [\fB\-p\fR\ \fIprompt\fR]
 [\fB\-r\fR\ \fIrole\fR]
 [\fB\-t\fR\ \fItype\fR]
+[\fB\-T\fR\ \fItimeout\fR]
 [\fB\-u\fR\ \fIuser\fR]
 [\fIVAR\fR=\fIvalue\fR]
 [\fB\-i\fR\ |\ \fB\-s\fR]
@@ -80,6 +81,7 @@
 [\fB\-g\fR\ \fIgroup\fR]
 [\fB\-h\fR\ \fIhost\fR]
 [\fB\-p\fR\ \fIprompt\fR]
+[\fB\-T\fR\ \fItimeout\fR]
 [\fB\-u\fR\ \fIuser\fR]
 \fIfile\ ...\fR
 .PD
@@ -564,6 +566,15 @@ policy only allows root or a user with the
 \fRALL\fR
 privilege on the current host to use this option.
 .TP 12n
+\fB\-T\fR \fItimeout\fR, \fB\--command-timeout\fR=\fItimeout\fR
+Used to set a timeout for the command.
+If the timeout expires before the command has exited, the
+command will be terminated.
+The security policy may restrict the ability to set command timeouts.
+The
+\fIsudoers\fR
+policy requires that user-specified timeouts be explicitly enabled.
+.TP 12n
 \fB\-u\fR \fIuser\fR, \fB\--user\fR=\fIuser\fR
 Run the command as a user other than the default target user
 (usually

doc/sudo.mdoc.in

@@ -1,5 +1,5 @@
 .\"
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2016
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2017
 .\"	Todd C. Miller <Todd.Miller@courtesan.com>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd January 19, 2016
+.Dd February 16, 2017
 .Dt SUDO @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -57,6 +57,7 @@
 .Op Fl p Ar prompt
 .Op Fl r Ar role
 .Op Fl t Ar type
+.Op Fl T Ar timeout
 .Op Fl u Ar user
 .Op Ar VAR Ns = Ns Ar value
 .Op Fl i | s
@@ -69,6 +70,7 @@
 .Op Fl g Ar group
 .Op Fl h Ar host
 .Op Fl p Ar prompt
+.Op Fl T Ar timeout
 .Op Fl u Ar user
 .Ar
 .Sh DESCRIPTION
@@ -507,6 +509,14 @@ The
 policy only allows root or a user with the
 .Li ALL
 privilege on the current host to use this option.
+.It Fl T Ar timeout , Fl -command-timeout Ns = Ns Ar timeout
+Used to set a timeout for the command.
+If the timeout expires before the command has exited, the
+command will be terminated.
+The security policy may restrict the ability to set command timeouts.
+The
+.Em sudoers
+policy requires that user-specified timeouts be explicitly enabled.
 .It Fl u Ar user , Fl -user Ns = Ns Ar user
 Run the command as a user other than the default target user
 (usually

doc/sudoers.cat

@@ -1419,6 +1419,18 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
                        this option will make that impossible.  This flag is
                        _o_f_f by default.
 
+     user_command_timeouts
+                       If set, the user may specify a timeout on the command
+                       line.  If the timeout expires before the command has
+                       exited, the command will be terminated.  If a timeout
+                       is specified both in the _s_u_d_o_e_r_s file and on the
+                       command line, the smaller of the two timeouts will be
+                       used.  See the Timeout_Spec section for a description
+                       of the timeout syntax.  This flag is _o_f_f by default.
+
+                       This setting is only supported by version 1.8.20 or
+                       higher.
+
      utmp_runas        If set, ssuuddoo will store the name of the runas user when
                        updating the utmp (or utmpx) file.  By default, ssuuddoo
                        stores the name of the invoking user.  This flag is _o_f_f
@@ -2713,4 +2725,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or https://www.sudo.ws/license.html for
      complete details.
 
-Sudo 1.8.20                    February 14, 2017                   Sudo 1.8.20
+Sudo 1.8.20                    February 16, 2017                   Sudo 1.8.20

doc/sudoers.man.in

@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDOERS" "5" "February 14, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "February 16, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -2978,6 +2978,22 @@ This flag is
 \fIoff\fR
 by default.
 .TP 18n
+user_command_timeouts
+If set, the user may specify a timeout on the command line.
+If the timeout expires before the command has exited, the
+command will be terminated.
+If a timeout is specified both in the
+\fIsudoers\fR
+file and on the command line, the smaller of the two timeouts will be used.
+See the
+\fRTimeout_Spec\fR
+section for a description of the timeout syntax.
+This flag is
+\fIoff\fR
+by default.
+.sp
+This setting is only supported by version 1.8.20 or higher.
+.TP 18n
 utmp_runas
 If set,
 \fBsudo\fR

doc/sudoers.mdoc.in

@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd February 14, 2017
+.Dd February 16, 2017
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -2795,6 +2795,21 @@ Use of this option will make that impossible.
 This flag is
 .Em off
 by default.
+.It user_command_timeouts
+If set, the user may specify a timeout on the command line.
+If the timeout expires before the command has exited, the
+command will be terminated.
+If a timeout is specified both in the
+.Pa sudoers
+file and on the command line, the smaller of the two timeouts will be used.
+See the
+.Li Timeout_Spec
+section for a description of the timeout syntax.
+This flag is
+.Em off
+by default.
+.Pp
+This setting is only supported by version 1.8.20 or higher.
 .It utmp_runas
 If set,
 .Nm sudo

plugins/sudoers/def_data.c

@@ -453,6 +453,10 @@ struct sudo_defs_types sudo_defs_table[] = {
 	"command_timeout", T_TIMEOUT|T_BOOL,
 	N_("Time in seconds after which the command will be terminated: %u"),
 	NULL,
+    }, {
+	"user_command_timeouts", T_FLAG,
+	N_("Allow the user to specify a timeout on the command line"),
+	NULL,
     }, {
 	NULL, 0, NULL
     }

plugins/sudoers/def_data.h

@@ -210,6 +210,8 @@
 #define def_ignore_unknown_defaults (sudo_defs_table[I_IGNORE_UNKNOWN_DEFAULTS].sd_un.flag)
 #define I_COMMAND_TIMEOUT       105
 #define def_command_timeout     (sudo_defs_table[I_COMMAND_TIMEOUT].sd_un.ival)
+#define I_USER_COMMAND_TIMEOUTS 106
+#define def_user_command_timeouts (sudo_defs_table[I_USER_COMMAND_TIMEOUTS].sd_un.flag)
 
 enum def_tuple {
 	never,

plugins/sudoers/def_data.in

@@ -332,3 +332,6 @@ ignore_unknown_defaults
 command_timeout
 	T_TIMEOUT|T_BOOL
 	"Time in seconds after which the command will be terminated: %u"
+user_command_timeouts
+	T_FLAG
+	"Allow the user to specify a timeout on the command line"

plugins/sudoers/policy.c

@@ -35,6 +35,7 @@
 #include "sudoers.h"
 #include "sudoers_version.h"
 #include "interfaces.h"
+#include "parse.h" /* for parse_timeout() */
 
 /*
  * Info passed in from the sudo front-end.
@@ -256,6 +257,18 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
 	    remhost = *cur + sizeof("remote_host=") - 1;
 	    continue;
 	}
+	if (MATCHES(*cur, "timeout=")) {
+	    p = *cur + sizeof("timeout=") - 1;
+	    user_timeout = parse_timeout(p);
+	    if (user_timeout == -1) {
+		if (errno == ERANGE)
+		    sudo_warnx(U_("%s: %s"), p, U_("timeout value too large"));
+		else
+		    sudo_warnx(U_("%s: %s"), p, U_("invalid timeout value"));
+		goto bad;
+	    }
+	    continue;
+	}
 #ifdef ENABLE_SUDO_PLUGIN_API
 	if (MATCHES(*cur, "plugin_dir=")) {
 	    path_plugin_dir = *cur + sizeof("plugin_dir=") - 1;
@@ -580,8 +593,11 @@ sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask,
 	if ((command_info[info_len++] = sudo_new_key_val("iolog_group", def_iolog_group)) == NULL)
 	    goto oom;
     }
-    if (def_command_timeout != 0) {
-	if (asprintf(&command_info[info_len++], "timeout=%u", def_command_timeout) == -1)
+    if (def_command_timeout > 0 || user_timeout > 0) {
+	int timeout = def_command_timeout;
+	if (timeout <= 0 || user_timeout < timeout)
+	    timeout = user_timeout;
+	if (asprintf(&command_info[info_len++], "timeout=%u", timeout) == -1)
 	    goto oom;
     }
     if (cmnd_umask != ACCESSPERMS) {

plugins/sudoers/sudoers.c

@@ -476,10 +476,17 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 	goto bad;
     }
 
+    /* If user specified a timeout make sure sudoers allows it. */
+    if (!def_user_command_timeouts && user_timeout > 0) {
+	/* XXX - audit/log? */
+	sudo_warnx(U_("sorry, you are not allowed set a command timeout"));
+	goto bad;
+    }
+
     /* If user specified env vars make sure sudoers allows it. */
     if (ISSET(sudo_mode, MODE_RUN) && !def_setenv) {
 	if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) {
-	    /* XXX - audit? */
+	    /* XXX - audit/log? */
 	    sudo_warnx(U_("sorry, you are not allowed to preserve the environment"));
 	    goto bad;
 	} else {

plugins/sudoers/sudoers.h

@@ -103,6 +103,7 @@ struct sudo_user {
     int   cols;
     int   flags;
     int   max_groups;
+    int   timeout;
     mode_t umask;
     uid_t uid;
     uid_t gid;
@@ -214,6 +215,7 @@ struct sudo_user {
 #define user_closefrom		(sudo_user.closefrom)
 #define	runas_privs		(sudo_user.privs)
 #define	runas_limitprivs	(sudo_user.limitprivs)
+#define user_timeout		(sudo_user.timeout)
 
 #ifdef __TANDEM
 # define ROOT_UID	65535

src/parse_args.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1993-1996, 1998-2015 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 1993-1996, 1998-2017 Todd C. Miller <Todd.Miller@courtesan.com>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -101,7 +101,9 @@ static struct sudo_settings sudo_settings[] = {
     { "plugin_dir" },
 #define ARG_REMOTE_HOST 21
     { "remote_host" },
-#define NUM_SETTINGS 22
+#define ARG_TIMEOUT 22
+    { "timeout" },
+#define NUM_SETTINGS 23
     { NULL }
 };
 
@@ -118,7 +120,7 @@ static struct sudo_settings sudo_settings[] = {
  * Note that we must disable arg permutation to support setting environment
  * variables and to better support the optional arg of the -h flag.
  */
-static const char short_opts[] =  "+Aa:bC:c:D:Eeg:Hh::iKklnPp:r:Sst:U:u:Vv";
+static const char short_opts[] =  "+Aa:bC:c:D:Eeg:Hh::iKklnPp:r:SsT:t:U:u:Vv";
 static struct option long_opts[] = {
     { "askpass",	no_argument,		NULL,	'A' },
     { "auth-type",	required_argument,	NULL,	'a' },
@@ -142,6 +144,7 @@ static struct option long_opts[] = {
     { "stdin",		no_argument,		NULL,	'S' },
     { "shell",		no_argument,		NULL,	's' },
     { "type",		required_argument,	NULL,	't' },
+    { "command-timeout",required_argument,	NULL,	'T' },
     { "other-user",	required_argument,	NULL,	'U' },
     { "user",		required_argument,	NULL,	'u' },
     { "version",	no_argument,		NULL,	'V' },
@@ -332,6 +335,9 @@ parse_args(int argc, char **argv, int *nargc, char ***nargv,
 		    sudo_settings[ARG_SELINUX_TYPE].value = optarg;
 		    break;
 #endif
+		case 'T':
+		    sudo_settings[ARG_TIMEOUT].value = optarg;
+		    break;
 		case 'S':
 		    SET(tgetpass_flags, TGP_STDIN);
 		    break;
@@ -588,7 +594,7 @@ static void
 help(void)
 {
     struct sudo_lbuf lbuf;
-    const int indent = 30;
+    const int indent = 32;
     const char *pname = getprogname();
     debug_decl(help, SUDO_DEBUG_ARGS)
 
@@ -654,6 +660,8 @@ help(void)
     sudo_lbuf_append(&lbuf, "  -t, --type=type               %s\n",
 	_("create SELinux security context with specified type"));
 #endif
+    sudo_lbuf_append(&lbuf, "  -T, --command-timeout=timeout %s\n",
+	_("terminate command after the specified time limit"));
     sudo_lbuf_append(&lbuf, "  -U, --other-user=user         %s\n",
 	_("in list mode, display privileges for user"));
     sudo_lbuf_append(&lbuf, "  -u, --user=user               %s\n",

src/sudo_usage.h.in

@@ -1,5 +1,6 @@
 /*
- * Copyright (c) 2007-2010, 2013 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2007-2010, 2013, 2015, 2017
+ *	Todd C. Miller <Todd.Miller@courtesan.com>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -26,8 +27,8 @@
 #define SUDO_USAGE1 " -h | -K | -k | -V"
 #define SUDO_USAGE2 " -v [-AknS] @BSDAUTH_USAGE@[-g group] [-h host] [-p prompt] [-u user]"
 #define SUDO_USAGE3 " -l [-AknS] @BSDAUTH_USAGE@[-g group] [-h host] [-p prompt] [-U user] [-u user] [command]"
-#define SUDO_USAGE4 " [-AbEHknPS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C num] @LOGINCAP_USAGE@[-g group] [-h host] [-p prompt] [-u user] [VAR=value] [-i|-s] [<command>]"
-#define SUDO_USAGE5 " -e [-AknS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C num] @LOGINCAP_USAGE@[-g group] [-h host] [-p prompt] [-u user] file ..."
+#define SUDO_USAGE4 " [-AbEHknPS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C num] @LOGINCAP_USAGE@[-g group] [-h host] [-p prompt] [-T timeout] [-u user] [VAR=value] [-i|-s] [<command>]"
+#define SUDO_USAGE5 " -e [-AknS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C num] @LOGINCAP_USAGE@[-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ..."
 
 /*
  * Configure script arguments used to build sudo.