auth_keep: do not ask for reauth if new process shares same UID/paren…

…t/cgroup/tty

sudo keeps a record of authenticated processes via either the controlling
TTY (default) or the parent process id.

Implement the same caching behaviour, but stricter: if a process
is authenticated for auth_keep, do not expunge it when it exits
if it was tracked via PID FD (to make it safe against reuse attacks).

Then, if another process comes along, skip re-auth and allow it
if it shared the same UID, parent process id, cgroup id and
controlling terminal (and all processes are newer than the controlling
terminal ctime). PID FDs must be used all the way through,
otherwise there's no caching.

This is much stricter than sudo, as all conditions must be met.
But it still allows to fulfill the main use case, which is to
run multiple commands on the same terminal without being asked
for the password again and again.

Unlike sudo, we also do not refresh the countdown on each use.

Fixes #472