From: Michael Albinus <michael.albinus@gmx.de>
Date: Wed, 21 Nov 2018 12:23:01 +0000 (+0100)
Subject: Let Tramp sudo sessions expire after a timeout
X-Git-Tag: emacs-27.0.90~4127
X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=fb200f3e5775fa2811ba270c2a7b0295b42539a0;p=emacs.git

Let Tramp sudo sessions expire after a timeout

* doc/misc/tramp.texi (Inline methods) <sudo, doas>: Both methods expire
the underlying session per default.
(Predefined connection information): Explain "session-timeout".

* etc/NEWS: Mention Tramp session expiration.

* lisp/net/tramp-sh.el (tramp-methods) <sudo, doas>:
Add `tramp-session-timeout'.
(tramp-timeout-session): New defun.
(tramp-maybe-open-connection): Handle session timeout.

* lisp/net/tramp.el (tramp-methods): Adapt docstring.
(tramp-equal-remote): Extend.
---

diff --git a/doc/misc/tramp.texi b/doc/misc/tramp.texi
index 8cd0a72fc8c..79185285623 100644
--- a/doc/misc/tramp.texi
+++ b/doc/misc/tramp.texi
@@ -721,11 +721,17 @@ the host returned by the function @command{(system-name)}.  See
 Similar to @option{su} method, @option{sudo} uses @command{sudo}.
 @command{sudo} must have sufficient rights to start a shell.
 
+Due to security reasons, a @option{sudo} connection is disabled after
+a predefined timeout (5 minutes per default).  This can be changed,
+see @ref{Predefined connection information}.
+
 @item @option{doas}
 @cindex method @option{doas}
 @cindex @option{doas} method
 
-This method is used on OpenBSD like the @command{sudo} command.
+This method is used on OpenBSD like the @command{sudo} command.  Like
+the @option{sudo} method, a @option{sudo} connection is disabled after
+a predefined timeout.
 
 @item @option{sg}
 @cindex method @option{sg}
@@ -1826,6 +1832,24 @@ The parameters @code{tramp-remote-shell} and
 @code{tramp-remote-shell-login} in @code{tramp-methods} now have new
 values for the remote host.
 
+A common use case is to override the session timeout of a connection,
+that is the time (in seconds) after a connection is disabled, and must
+be reestablished.  This can be set for any connection; for the
+@option{sudo} and @option{doas} methods there exist predefined values.
+A value of @code{nil} disables this feature.  For example:
+
+@lisp
+@group
+(add-to-list 'tramp-connection-properties
+             (list (regexp-quote "@trampfn{sudo,root@@system-name,}")
+                   "session-timeout" 30))
+@end group
+@end lisp
+
+@noindent
+@samp{system-name} stands here for the host returned by the function
+@command{(system-name)}.
+
 @var{property} could also be any property found in
 @code{tramp-persistency-file-name}.
 
diff --git a/etc/NEWS b/etc/NEWS
index 4ed312c7216..13d660812d6 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -832,6 +832,11 @@ Tramp for some look-alike remote file names.
 *** For some connection methods, like "su" or "sudo", the host name in
 ad-hoc multi-hop file names must match the previous hop.
 
++++
+*** For the connection methods "sudo" and "doas" there exists a
+timeout, after which the underlying session is disabled.  This is for
+security reasons.
+
 ** Rcirc
 
 ---
diff --git a/lisp/net/tramp-sh.el b/lisp/net/tramp-sh.el
index 4fb011b3423..4965f835b0c 100644
--- a/lisp/net/tramp-sh.el
+++ b/lisp/net/tramp-sh.el
@@ -271,14 +271,13 @@ The string is used in `tramp-methods'.")
     (tramp-remote-shell-args    ("-c"))
     (tramp-connection-timeout   10)))
 ;;;###tramp-autoload
-(add-to-list
- 'tramp-methods
- '("sg"
-   (tramp-login-program        "sg")
-   (tramp-login-args           (("-") ("%u")))
-   (tramp-remote-shell         "/bin/sh")
-   (tramp-remote-shell-args    ("-c"))
-   (tramp-connection-timeout   10)))
+(add-to-list 'tramp-methods
+  '("sg"
+    (tramp-login-program        "sg")
+    (tramp-login-args           (("-") ("%u")))
+    (tramp-remote-shell         "/bin/sh")
+    (tramp-remote-shell-args    ("-c"))
+    (tramp-connection-timeout   10)))
 ;;;###tramp-autoload
 (add-to-list 'tramp-methods
   '("sudo"
@@ -292,7 +291,8 @@ The string is used in `tramp-methods'.")
     (tramp-remote-shell         "/bin/sh")
     (tramp-remote-shell-login   ("-l"))
     (tramp-remote-shell-args    ("-c"))
-    (tramp-connection-timeout   10)))
+    (tramp-connection-timeout   10)
+    (tramp-session-timeout      300)))
 ;;;###tramp-autoload
 (add-to-list 'tramp-methods
   '("doas"
@@ -300,7 +300,8 @@ The string is used in `tramp-methods'.")
     (tramp-login-args           (("-u" "%u") ("-s")))
     (tramp-remote-shell         "/bin/sh")
     (tramp-remote-shell-args    ("-c"))
-    (tramp-connection-timeout   10)))
+    (tramp-connection-timeout   10)
+    (tramp-session-timeout      300)))
 ;;;###tramp-autoload
 (add-to-list 'tramp-methods
   '("ksu"
@@ -4371,16 +4372,14 @@ Goes through the list `tramp-local-coding-commands' and
 		 vec 5 "Checking local encoding function `%s'" loc-enc)
 	      (tramp-message
 	       vec 5 "Checking local encoding command `%s' for sanity" loc-enc)
-	      (unless (zerop (tramp-call-local-coding-command
-			      loc-enc nil nil))
+	      (unless (zerop (tramp-call-local-coding-command loc-enc nil nil))
 		(throw 'wont-work-local nil)))
 	    (if (not (stringp loc-dec))
 		(tramp-message
 		 vec 5 "Checking local decoding function `%s'" loc-dec)
 	      (tramp-message
 	       vec 5 "Checking local decoding command `%s' for sanity" loc-dec)
-	      (unless (zerop (tramp-call-local-coding-command
-			      loc-dec nil nil))
+	      (unless (zerop (tramp-call-local-coding-command loc-dec nil nil))
 		(throw 'wont-work-local nil)))
 	    ;; Search for remote coding commands with the same format
 	    (while (and remote-commands (not found))
@@ -4702,6 +4701,19 @@ Goes through the list `tramp-inline-compress-commands'."
 				  " -o ControlPersist=no")))))))))
       tramp-ssh-controlmaster-options)))
 
+(defun tramp-timeout-session (vec)
+  "Close the connection VEC after a session timeout.
+If there is just some editing, retry it after 5 seconds."
+  (if (and tramp-locked tramp-locker
+	   (tramp-equal-remote vec tramp-current-connection))
+      (progn
+	(tramp-message
+	 vec 5 "Cannot timeout session, trying it again in %s seconds." 5)
+	(run-at-time 5 nil 'tramp-timeout-session vec))
+    (tramp-message
+     vec 3 "Timeout session %s" (tramp-make-tramp-file-name vec 'localname))
+    (tramp-cleanup-connection vec 'keep-debug)))
+
 (defun tramp-maybe-open-connection (vec)
   "Maybe open a connection VEC.
 Does not do anything if a connection is already open, but re-opens the
@@ -4878,6 +4890,14 @@ connection if a previous connection has died for some reason."
 		      :method l-method :user l-user :domain l-domain
 		      :host l-host :port l-port))
 
+		    ;; Set session timeout.
+		    (when (tramp-get-method-parameter
+			   hop 'tramp-session-timeout)
+		      (tramp-set-connection-property
+		       p "session-timeout"
+		       (tramp-get-method-parameter
+			hop 'tramp-session-timeout)))
+
 		    ;; Add login environment.
 		    (when login-env
 		      (setq
@@ -4941,6 +4961,12 @@ connection if a previous connection has died for some reason."
 		;; Set connection-local variables.
 		(tramp-set-connection-local-variables vec)
 
+		;; Activate session timeout.
+		(when (tramp-get-connection-property p "session-timeout" nil)
+		  (run-at-time
+		   (tramp-get-connection-property p "session-timeout" nil) nil
+		   'tramp-timeout-session vec))
+
 		;; Make initial shell settings.
 		(tramp-open-connection-setup-interactive-shell p vec)
 
diff --git a/lisp/net/tramp.el b/lisp/net/tramp.el
index f16bb67efb5..8362d787525 100644
--- a/lisp/net/tramp.el
+++ b/lisp/net/tramp.el
@@ -248,6 +248,10 @@ pair of the form (KEY VALUE).  The following KEYs are defined:
     In general, the global default value shall be used, but for
     some methods, like \"su\" or \"sudo\", a shorter timeout
     might be desirable.
+  * `tramp-session-timeout'
+    How long a Tramp connection keeps open before being disconnected.
+    This is useful for methods like \"su\" or \"sudo\", which
+    shouldn't run an open connection in the background forever.
   * `tramp-case-insensitive'
     Whether the remote file system handles file names case insensitive.
     Only a non-nil value counts, the default value nil means to
@@ -4074,10 +4078,16 @@ Example:
 
 would yield t.  On the other hand, the following check results in nil:
 
-  (tramp-equal-remote \"/sudo::/etc\" \"/su::/etc\")"
-  (and (tramp-tramp-file-p file1)
-       (tramp-tramp-file-p file2)
-       (string-equal (file-remote-p file1) (file-remote-p file2))))
+  (tramp-equal-remote \"/sudo::/etc\" \"/su::/etc\")
+
+FILE1 and FILE2 could also be Tramp vectors."
+  (or (and (tramp-tramp-file-p file1)
+	   (tramp-tramp-file-p file2)
+	   (string-equal (file-remote-p file1) (file-remote-p file2)))
+      (and (tramp-file-name-p file1)
+	   (tramp-file-name-p file2)
+	   (string-equal (tramp-make-tramp-file-name file1 'localname)
+			 (tramp-make-tramp-file-name file2 'localname)))))
 
 ;;;###tramp-autoload
 (defun tramp-mode-string-to-int (mode-string)