Let Tramp sudo sessions expire after a timeout

* doc/misc/tramp.texi (Inline methods) <sudo, doas>: Both methods expire
the underlying session per default.
(Predefined connection information): Explain "session-timeout".

* etc/NEWS: Mention Tramp session expiration.

* lisp/net/tramp-sh.el (tramp-methods) <sudo, doas>:
Add `tramp-session-timeout'.
(tramp-timeout-session): New defun.
(tramp-maybe-open-connection): Handle session timeout.

* lisp/net/tramp.el (tramp-methods): Adapt docstring.
(tramp-equal-remote): Extend.

4 files changed, 84 insertions, 19 deletions

diff --git a/doc/misc/tramp.texi b/doc/misc/tramp.texi
index 8cd0a72fc8c..79185285623 100644
--- a/doc/misc/tramp.texi
+++ b/doc/misc/tramp.texi
@@ -721,11 +721,17 @@ the host returned by the function @command{(system-name)}.  See
 Similar to @option{su} method, @option{sudo} uses @command{sudo}.
 @command{sudo} must have sufficient rights to start a shell.
 
+Due to security reasons, a @option{sudo} connection is disabled after
+a predefined timeout (5 minutes per default).  This can be changed,
+see @ref{Predefined connection information}.
+
 @item @option{doas}
 @cindex method @option{doas}
 @cindex @option{doas} method
 
-This method is used on OpenBSD like the @command{sudo} command.
+This method is used on OpenBSD like the @command{sudo} command.  Like
+the @option{sudo} method, a @option{sudo} connection is disabled after
+a predefined timeout.
 
 @item @option{sg}
 @cindex method @option{sg}
@@ -1826,6 +1832,24 @@ The parameters @code{tramp-remote-shell} and
 @code{tramp-remote-shell-login} in @code{tramp-methods} now have new
 values for the remote host.
 
+A common use case is to override the session timeout of a connection,
+that is the time (in seconds) after a connection is disabled, and must
+be reestablished.  This can be set for any connection; for the
+@option{sudo} and @option{doas} methods there exist predefined values.
+A value of @code{nil} disables this feature.  For example:
+
+@lisp
+@group
+(add-to-list 'tramp-connection-properties
+             (list (regexp-quote "@trampfn{sudo,root@@system-name,}")
+                   "session-timeout" 30))
+@end group
+@end lisp
+
+@noindent
+@samp{system-name} stands here for the host returned by the function
+@command{(system-name)}.
+
 @var{property} could also be any property found in
 @code{tramp-persistency-file-name}.
 
diff --git a/etc/NEWS b/etc/NEWS
index 4ed312c7216..13d660812d6 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -832,6 +832,11 @@ Tramp for some look-alike remote file names.
 *** For some connection methods, like "su" or "sudo", the host name in
 ad-hoc multi-hop file names must match the previous hop.
 
++++
+*** For the connection methods "sudo" and "doas" there exists a
+timeout, after which the underlying session is disabled.  This is for
+security reasons.
+
 ** Rcirc
 
 ---
diff --git a/lisp/net/tramp-sh.el b/lisp/net/tramp-sh.el
index 4fb011b3423..4965f835b0c 100644
--- a/lisp/net/tramp-sh.el
+++ b/lisp/net/tramp-sh.el
@@ -271,14 +271,13 @@ The string is used in `tramp-methods'.")
     (tramp-remote-shell-args    ("-c"))
     (tramp-connection-timeout   10)))
 ;;;###tramp-autoload
-(add-to-list
- 'tramp-methods
- '("sg"
-   (tramp-login-program        "sg")
-   (tramp-login-args           (("-") ("%u")))
-   (tramp-remote-shell         "/bin/sh")
-   (tramp-remote-shell-args    ("-c"))
-   (tramp-connection-timeout   10)))
+(add-to-list 'tramp-methods
+  '("sg"
+    (tramp-login-program        "sg")
+    (tramp-login-args           (("-") ("%u")))
+    (tramp-remote-shell         "/bin/sh")
+    (tramp-remote-shell-args    ("-c"))
+    (tramp-connection-timeout   10)))
 ;;;###tramp-autoload
 (add-to-list 'tramp-methods
   '("sudo"
@@ -292,7 +291,8 @@ The string is used in `tramp-methods'.")
     (tramp-remote-shell         "/bin/sh")
     (tramp-remote-shell-login   ("-l"))
     (tramp-remote-shell-args    ("-c"))
-    (tramp-connection-timeout   10)))
+    (tramp-connection-timeout   10)
+    (tramp-session-timeout      300)))
 ;;;###tramp-autoload
 (add-to-list 'tramp-methods
   '("doas"
@@ -300,7 +300,8 @@ The string is used in `tramp-methods'.")
     (tramp-login-args           (("-u" "%u") ("-s")))
     (tramp-remote-shell         "/bin/sh")
     (tramp-remote-shell-args    ("-c"))
-    (tramp-connection-timeout   10)))
+    (tramp-connection-timeout   10)
+    (tramp-session-timeout      300)))
 ;;;###tramp-autoload
 (add-to-list 'tramp-methods
   '("ksu"
@@ -4371,16 +4372,14 @@ Goes through the list `tramp-local-coding-commands' and
                  vec 5 "Checking local encoding function `%s'" loc-enc)
               (tramp-message
                vec 5 "Checking local encoding command `%s' for sanity" loc-enc)
-              (unless (zerop (tramp-call-local-coding-command
-                              loc-enc nil nil))
+              (unless (zerop (tramp-call-local-coding-command loc-enc nil nil))
                 (throw 'wont-work-local nil)))
             (if (not (stringp loc-dec))
                 (tramp-message
                  vec 5 "Checking local decoding function `%s'" loc-dec)
               (tramp-message
                vec 5 "Checking local decoding command `%s' for sanity" loc-dec)
-              (unless (zerop (tramp-call-local-coding-command
-                              loc-dec nil nil))
+              (unless (zerop (tramp-call-local-coding-command loc-dec nil nil))
                 (throw 'wont-work-local nil)))
             ;; Search for remote coding commands with the same format
             (while (and remote-commands (not found))
@@ -4702,6 +4701,19 @@ Goes through the list `tramp-inline-compress-commands'."
                                   " -o ControlPersist=no")))))))))
       tramp-ssh-controlmaster-options)))
 
+(defun tramp-timeout-session (vec)
+  "Close the connection VEC after a session timeout.
+If there is just some editing, retry it after 5 seconds."
+  (if (and tramp-locked tramp-locker
+           (tramp-equal-remote vec tramp-current-connection))
+      (progn
+        (tramp-message
+         vec 5 "Cannot timeout session, trying it again in %s seconds." 5)
+        (run-at-time 5 nil 'tramp-timeout-session vec))
+    (tramp-message
+     vec 3 "Timeout session %s" (tramp-make-tramp-file-name vec 'localname))
+    (tramp-cleanup-connection vec 'keep-debug)))
+
 (defun tramp-maybe-open-connection (vec)
   "Maybe open a connection VEC.
 Does not do anything if a connection is already open, but re-opens the
@@ -4878,6 +4890,14 @@ connection if a previous connection has died for some reason."
                       :method l-method :user l-user :domain l-domain
                       :host l-host :port l-port))
 
+                    ;; Set session timeout.
+                    (when (tramp-get-method-parameter
+                           hop 'tramp-session-timeout)
+                      (tramp-set-connection-property
+                       p "session-timeout"
+                       (tramp-get-method-parameter
+                        hop 'tramp-session-timeout)))
+
                     ;; Add login environment.
                     (when login-env
                       (setq
@@ -4941,6 +4961,12 @@ connection if a previous connection has died for some reason."
                 ;; Set connection-local variables.
                 (tramp-set-connection-local-variables vec)
 
+                ;; Activate session timeout.
+                (when (tramp-get-connection-property p "session-timeout" nil)
+                  (run-at-time
+                   (tramp-get-connection-property p "session-timeout" nil) nil
+                   'tramp-timeout-session vec))
+
                 ;; Make initial shell settings.
                 (tramp-open-connection-setup-interactive-shell p vec)
 
diff --git a/lisp/net/tramp.el b/lisp/net/tramp.el
index f16bb67efb5..8362d787525 100644
--- a/lisp/net/tramp.el
+++ b/lisp/net/tramp.el
@@ -248,6 +248,10 @@ pair of the form (KEY VALUE).  The following KEYs are defined:
     In general, the global default value shall be used, but for
     some methods, like \"su\" or \"sudo\", a shorter timeout
     might be desirable.
+  * `tramp-session-timeout'
+    How long a Tramp connection keeps open before being disconnected.
+    This is useful for methods like \"su\" or \"sudo\", which
+    shouldn't run an open connection in the background forever.
   * `tramp-case-insensitive'
     Whether the remote file system handles file names case insensitive.
     Only a non-nil value counts, the default value nil means to
@@ -4074,10 +4078,16 @@ Example:
 
 would yield t.  On the other hand, the following check results in nil:
 
-  (tramp-equal-remote \"/sudo::/etc\" \"/su::/etc\")"
-  (and (tramp-tramp-file-p file1)
-       (tramp-tramp-file-p file2)
-       (string-equal (file-remote-p file1) (file-remote-p file2))))
+  (tramp-equal-remote \"/sudo::/etc\" \"/su::/etc\")
+
+FILE1 and FILE2 could also be Tramp vectors."
+  (or (and (tramp-tramp-file-p file1)
+           (tramp-tramp-file-p file2)
+           (string-equal (file-remote-p file1) (file-remote-p file2)))
+      (and (tramp-file-name-p file1)
+           (tramp-file-name-p file2)
+           (string-equal (tramp-make-tramp-file-name file1 'localname)
+                         (tramp-make-tramp-file-name file2 'localname)))))
 
 ;;;###tramp-autoload
 (defun tramp-mode-string-to-int (mode-string)