trifectatechfoundation · joriskleiber · Jul 28, 2025
diff --git a/src/defaults/mod.rs b/src/defaults/mod.rs
@@ -77,27 +77,27 @@ defaults! {
                                 "PYTHONINSPECT", "PYTHONUSERBASE", "RUBYLIB", "RUBYOPT", "*=()*"] #ignored
 }
 
-fn octal_mode(input: &str) -> Option<i64> {
+fn octal_mode(input: &str) -> Option<u64> {
     <libc::mode_t>::from_str_radix(input.strip_prefix('0')?, 8)
         .ok()
         .map(Into::into)
 }
 
 /// A custom parser to parse seconds as fractional "minutes", the format used by
 /// passwd_timeout and timestamp_timeout.
-fn fractional_minutes(input: &str) -> Option<i64> {
+fn fractional_minutes(input: &str) -> Option<u64> {
     if let Some((integral, fractional)) = input.split_once('.') {
         // - 'input' is maximally 18 characters, making fractional.len() at most 17;
         //   1e17 < 2**63, so the definition of 'shift' will not overflow.
         // - for the same reason, if both parses in the definition of 'seconds' succeed,
         //   we will have constructed an integer < 1e17.
         //-  1e17 * 60 = 6e18 < 9e18 < 2**63, so the final line also will not overflow
-        let shift = 10i64.pow(fractional.len().try_into().ok()?);
-        let seconds = integral.parse::<i64>().ok()? * shift + fractional.parse::<i64>().ok()?;
+        let shift = 10u64.pow(fractional.len().try_into().ok()?);
+        let seconds = integral.parse::<u64>().ok()? * shift + fractional.parse::<u64>().ok()?;
 
         Some(seconds * 60 / shift)
     } else {
-        input.parse::<i64>().ok()?.checked_mul(60)
+        input.parse::<u64>().ok()?.checked_mul(60)
     }
 }
 

diff --git a/src/defaults/settings_dsl.rs b/src/defaults/settings_dsl.rs
@@ -2,7 +2,7 @@ macro_rules! storage_of {
     ($id:ident, true) => { bool };
     ($id:ident, false) => { bool };
     ($id:ident, [ $($value: expr),* ]) => { std::collections::HashSet<String> };
-    ($id:ident, $(=int $check: expr;)+ $_: expr) => { i64 };
+    ($id:ident, $(=int $check: expr;)+ $_: expr) => { u64 };
     ($id:ident, $(=enum $k: ident;)+ $_: ident) => { $crate::defaults::enums::$id };
     ($id:ident, None) => { Option<Box<str>> };
     ($id:ident, $_: expr) => { Box<str> };
@@ -12,7 +12,7 @@ macro_rules! referent_of {
     ($id:ident, true) => { bool };
     ($id:ident, false) => { bool };
     ($id:ident, [ $($value: expr),* ]) => { &std::collections::HashSet<String> };
-    ($id:ident, $(=int $check: expr;)+ $_: expr) => { i64 };
+    ($id:ident, $(=int $check: expr;)+ $_: expr) => { u64 };
     ($id:ident, $(=enum $k: ident;)+ $_: ident) => { $crate::defaults::enums::$id };
     ($id:ident, None) => { Option<&str> };
     ($id:ident, $_: expr) => { &str };
@@ -73,7 +73,7 @@ macro_rules! modifier_of {
     ($id:ident, =int $first:literal ..= $last: literal $(@ $radix: literal)?; $value: expr) => {
         #[allow(clippy::from_str_radix_10)]
         $crate::defaults::SettingKind::Integer(|text| {
-            i64::from_str_radix(text, 10$(*0 + $radix)?)
+            u64::from_str_radix(text, 10$(*0 + $radix)?)
                 .ok()
                 .filter(|val| ($first ..= $last).contains(val))
                 .map(|i| {

diff --git a/src/pam/converse.rs b/src/pam/converse.rs
@@ -1,7 +1,6 @@
-use std::io;
+use std::{io, time::Duration};
 
 use crate::cutils::string_from_ptr;
-use crate::system::time::Duration;
 
 use super::sys::*;
 

diff --git a/src/pam/mod.rs b/src/pam/mod.rs
@@ -4,10 +4,9 @@ use std::{
     os::raw::c_char,
     os::unix::prelude::OsStrExt,
     ptr::NonNull,
+    time::Duration,
 };
 
-use crate::system::time::Duration;
-
 use converse::ConverserData;
 use error::pam_err;
 pub use error::{PamError, PamErrorType, PamResult};

diff --git a/src/pam/rpassword.rs b/src/pam/rpassword.rs
@@ -15,13 +15,12 @@
 ///
 use std::io::{self, Error, ErrorKind, Read};
 use std::os::fd::{AsFd, AsRawFd, BorrowedFd};
-use std::time::Instant;
+use std::time::{Duration, Instant};
 use std::{fs, mem};
 
 use libc::{tcsetattr, termios, ECHO, ECHONL, ICANON, TCSANOW, VEOF, VERASE, VKILL};
 
 use crate::cutils::cerr;
-use crate::system::time::Duration;
 
 use super::securemem::PamBuffer;
 
@@ -187,7 +186,7 @@ struct TimeoutRead<'a> {
 impl<'a> TimeoutRead<'a> {
     fn new(fd: BorrowedFd<'a>, timeout: Option<Duration>) -> TimeoutRead<'a> {
         TimeoutRead {
-            timeout_at: timeout.map(|timeout| Instant::now() + timeout.into()),
+            timeout_at: timeout.map(|timeout| Instant::now() + timeout),
             fd,
         }
     }

diff --git a/src/sudo/mod.rs b/src/sudo/mod.rs
@@ -6,12 +6,12 @@ use crate::log::dev_info;
 use crate::system::interface::UserId;
 use crate::system::timestamp::RecordScope;
 use crate::system::User;
-use crate::system::{time::Duration, timestamp::SessionRecordFile, Process};
+use crate::system::{timestamp::SessionRecordFile, Process};
 #[cfg(test)]
 pub(crate) use cli::SudoAction;
 #[cfg(not(test))]
 use cli::SudoAction;
-use std::path::PathBuf;
+use std::{path::PathBuf, time::Duration};
 
 mod cli;
 pub(crate) use cli::{SudoEditOptions, SudoListOptions, SudoRunOptions, SudoValidateOptions};
@@ -91,16 +91,15 @@ fn sudo_process() -> Result<(), Error> {
             }
             SudoAction::RemoveTimestamp(_) => {
                 let user = CurrentUser::resolve()?;
-                let mut record_file =
-                    SessionRecordFile::open_for_user(&user, Duration::seconds(0))?;
+                let mut record_file = SessionRecordFile::open_for_user(&user, Duration::default())?;
                 record_file.reset()?;
                 Ok(())
             }
             SudoAction::ResetTimestamp(_) => {
                 if let Some(scope) = RecordScope::for_process(&Process::new()) {
                     let user = CurrentUser::resolve()?;
                     let mut record_file =
-                        SessionRecordFile::open_for_user(&user, Duration::seconds(0))?;
+                        SessionRecordFile::open_for_user(&user, Duration::default())?;
                     record_file.disable(scope, None)?;
                 }
                 Ok(())

diff --git a/src/sudo/pam.rs b/src/sudo/pam.rs
@@ -1,10 +1,10 @@
-use std::ffi::OsString;
+use std::{ffi::OsString, time::Duration};
 
 use crate::common::context::LaunchType;
 use crate::common::error::Error;
 use crate::log::{dev_info, user_warn};
 use crate::pam::{PamContext, PamError, PamErrorType, PamResult};
-use crate::system::{term::current_tty_name, time::Duration};
+use crate::system::term::current_tty_name;
 
 pub(super) struct InitPamArgs<'a> {
     pub(super) launch: LaunchType,

diff --git a/src/sudo/pipeline.rs b/src/sudo/pipeline.rs
@@ -1,5 +1,6 @@
 use std::ffi::OsStr;
 use std::process::exit;
+use std::time::Duration;
 
 use super::cli::{SudoRunOptions, SudoValidateOptions};
 use super::diagnostic;
@@ -10,7 +11,6 @@ use crate::log::{auth_info, auth_warn};
 use crate::pam::PamContext;
 use crate::sudo::env::environment;
 use crate::sudo::pam::{attempt_authenticate, init_pam, pre_exec, InitPamArgs};
-use crate::sudo::Duration;
 use crate::sudoers::{
     AuthenticatingUser, Authentication, Authorization, DirChange, Judgement, Restrictions, Sudoers,
 };

diff --git a/src/sudoers/policy.rs b/src/sudoers/policy.rs
@@ -6,13 +6,13 @@ use crate::common::{
 };
 use crate::exec::Umask;
 use crate::sudoers::ast::{ExecControl, Tag};
-use crate::system::{time::Duration, Hostname, User};
+use crate::system::{Hostname, User};
 /// Data types and traits that represent what the "terms and conditions" are after a successful
 /// permission check.
 ///
 /// The trait definitions can be part of some global crate in the future, if we support more
 /// than just the sudoers file.
-use std::collections::HashSet;
+use std::{collections::HashSet, time::Duration};
 
 #[must_use]
 #[cfg_attr(test, derive(Debug, PartialEq))]
@@ -38,11 +38,11 @@ impl super::Settings {
         Authentication {
             must_authenticate: tag.needs_passwd(),
             allowed_attempts: self.passwd_tries().try_into().unwrap(),
-            prior_validity: Duration::seconds(self.timestamp_timeout()),
+            prior_validity: Duration::from_secs(self.timestamp_timeout()),
             pwfeedback: self.pwfeedback(),
             password_timeout: match self.passwd_timeout() {
                 0 => None,
-                timeout => Some(Duration::seconds(timeout)),
+                timeout => Some(Duration::from_secs(timeout)),
             },
             credential: if self.rootpw() {
                 AuthenticatingUser::Root
@@ -190,10 +190,10 @@ mod test {
             Authentication {
                 must_authenticate: true,
                 allowed_attempts: 3,
-                prior_validity: Duration::minutes(15),
+                prior_validity: Duration::from_secs(15 * 60),
                 credential: AuthenticatingUser::InvokingUser,
                 pwfeedback: false,
-                password_timeout: Some(Duration::seconds(300)),
+                password_timeout: Some(Duration::from_secs(300)),
             },
         );
 
@@ -207,10 +207,10 @@ mod test {
             Authentication {
                 must_authenticate: false,
                 allowed_attempts: 3,
-                prior_validity: Duration::minutes(15),
+                prior_validity: Duration::from_secs(15 * 60),
                 credential: AuthenticatingUser::InvokingUser,
                 pwfeedback: false,
-                password_timeout: Some(Duration::seconds(300)),
+                password_timeout: Some(Duration::from_secs(300)),
             },
         );
         assert_eq!(restrictions, restrictions2);