Hi, Hiltjo Posthuma wrote on Fri, Dec 20, 2019 at 12:40:14AM +0100: > On Thu, Dec 19, 2019 at 02:03:19PM -0700, andrej wrote:
>> On the note of accurate documentation; how about adding the actually >> defined timeout for persist rather than the "some time"? > Sometimes there is a reason implementation details are not specificly > documented, Correct. > but I don't know if thats the case here. If i understand correctly, it is. This option is only provided for convenience in interactive use. It shouldn't matter for the user what the exact timeout is. The user will simply enter the password once more when asked. On the other hand, Ted might decide at some time in the future that a slightly different timeout yields a better balance of convenience and security. When there is no public promise how long exactly the timeout is, changing it is less disruptive. So, i'm not convinced we want the patch quoted below. Yours, Ingo > diff --git usr.bin/doas/doas.conf.5 usr.bin/doas/doas.conf.5 > index b5cacde22cd..b541aef966c 100644 > --- usr.bin/doas/doas.conf.5 > +++ usr.bin/doas/doas.conf.5 > @@ -47,7 +47,7 @@ Options are: > The user is not required to enter a password. > .It Ic persist > After the user successfully authenticates, do not ask for a password > -again for some time. > +again for 5 minutes for the session. > .It Ic keepenv > Environment variables other than those listed in > .Xr doas 1
