On one box I test configuration edits and backups, I find myself using
doas around once every 7-9 minutes, exceeding the 5 minute limit.
Another box is basically a gateway, so I don't exceed 2 minutes between
doas runs.
It would be nice to have the option of deviating from the default, and
the "persist" feature seems incomplete without the ability to adjust
the timeout from a fixed 5 minutes.
I didn't say anything until now, because I was under the
impression there was something else planned for the "persist" feature,
but there has I haven't seen anything about this in the mailing lists
since this: https://marc.info/?l=openbsd-tech&m=147314077009745
Since the first release with this feature will be 6.1, it seems logical
to make any syntax changes now rather than later. No kernel changes
needed here, since the timeout can be set with TIOCSETVERAUTH, so I
don't see any harm in giving admins the option of setting the timeout
with doas.conf instead of it being hard-coded into doas itself.
On Sun, 12 Mar 2017 10:20:46 -0600
"Theo de Raadt" <dera...@openbsd.org> wrote:
> I'll ask the question: Why are you sure you need that?
>
> > Are there plans (or perhaps code already being worked on) to allow
> > doas(1) 'persist' to have a different time other than 5 minutes? I
> > am thinking of writing a patch for this, but I do not want to
> > duplicate effort if the devs have other/similar plans ahead.
> >
> > I would like to configure the timeout to be 1 minute on one of my
> > boxes, and 5-10 minutes on another box.
> >
> > For instance, something like:
> >
> > # 90-second persistence
> > permit persist=90 :wheel
> > permit nopass keepenv root
> >
> > # 5-minute persistence
> > permit persist :captain
> >
> > Or even:
> >
> > # 90-seconds; timeout must be specified.
> > permit persist 90 :wheel
