sudo command on MacOS Sierra does not respect timestamp_timeout

Question

After upgrading to MacOS Sierra (10.12), my sudo command seems to be acting differently. See the following test case:

# Run in terminal pane #1: (should prompt for password)
sudo -v

# Run in terminal pane #2: (should NOT prompt for password)
sudo -v

The above works as expected on earlier versions of OS X. However, on Sierra, the second command prompts for the password again. It does not prompt for the password within the same terminal pane. This seems to only happen for the root user; the following works as expected on all OS versions including Sierra:

# Run in terminal pane #1: (prompts for password)
sudo -v -u "$USER"

# Run in terminal pane #2: (does not prompt for password)
sudo -v -u "$USER"

Looking at /ect/sudoers, the timestamp_timeout value is not set to 0. I've briefly looked over the changelog for 1.7 to 1.8 but could not come up with anything significant other than there being a mention of a policy plugin for Sierra when running sudo -V.

Can anybody help me figure out what has changed? I have a script that relies on the sudo timeout value for a keepalive and on Sierra it is prompting for the password constantly since it seems to no longer use a timestamp for the root user.

Answer 1

After a ton of searching and comparing the sudo configuration on older OS versions to Sierra's (sudo su; sudo -V), it seems that Sierra enables tty_tickets by default now, causing the issues mentioned above. As far as I can tell, this was an undocumented change. To fix, the following needs to be added to the /etc/sudoers file via running sudo visudo,

Defaults !tty_tickets