Comment 11 for bug 87023

Kees Cook (kees) wrote :

I see a few options for dealing with console log-outs:

1) Add "sudo -K" to /etc/skel/.bash_logout via patch to bash pkg. (This doesn't catch upgrades, and doesn't handle people not using bash.)

2) Dig into pam's session management and write new module to be added as login and ssh required "session" modules. (Seems a bit sloppy.)

3) Using a recent patch to mainline, write a logout-watching daemon that cleans up after sudo when a pts goes away (this seems really like too heavy a solution)

4) Patch the pts code to use kobjects and hook up a listener to "remove" events. (This is a lot of work.)

As for the GUI apps, I think sudo (and the GUI su-ing apps) should be patched to add something like "--single-shot", where no tty-based ticket is left behind.