Ubuntu – sudo credential caching on by default


Just installed a minimal ubuntu 12.04, then installed xfce4 and xinit from the command line after first boot. Totally vanilla installation afaik.

I'm noticing that sudo caches the password until I issue sudo -k to clear it.

This is unexpected behavior in my mind. I've run xfce4 before and don't recall credential caching being on, nor have I experienced it in the many previous ubuntu installs I've had over the years.

Is this a new feature of Ubuntu? Is this something that's the result of the minimal install? Is this an xfce default that's been added recently?

Best Answer

It actually caches the right to elevate, but not your password, and has done so for quite a while. However, it does so for only fifteen minutes, by default. This is by design:

From http://linux.die.net/man/8/sudo:

Once a user has been authenticated, a time stamp is updated and the user may then use sudo without a password for a short period of time (5 minutes unless overridden in sudoers).

and as a note of security from man sudoers:

sudo will check the ownership of its time stamp directory (/var/db/sudo by default) and ignore the directory's contents if it is not owned by root or if it is writable by a user other than root. On systems that allow non-root users to give away files via chown(2), if the time stamp directory is located in a directory writable by anyone (e.g., /tmp), it is possible for a user to create the time stamp directory before sudo is run. However, because sudo checks the ownership and mode of the directory and its contents, the only damage that can be done is to "hide" files by putting them in the time stamp dir. This is unlikely to happen since once the time stamp dir is owned by root and inaccessible by any other user, the user placing files there would be unable to get them back out. To get around this issue you can use a directory that is not world-writable for the time stamps (/var/adm/sudo for instance) or create /var/db/sudo with the appropriate owner (root) and permissions (0700) in the system startup files.

and from the same page:

Since time stamp files live in the file system, they can outlive a user's login session. As a result, a user may be able to login, run a command with sudo after authenticating, logout, login again, and run sudo without authenticating so long as the time stamp file's modification time is within 5 minutes (or whatever the timeout is set to in sudoers). When the tty_tickets option is enabled in sudoers, the time stamp has per-tty granularity but still may outlive the user's session. On Linux systems where the devpts filesystem is used, Solaris systems with the devices filesystem, as well as other systems that utilize a devfs filesystem that monotonically increase the inode number of devices as they are created (such as Mac OS X), sudo is able to determine when a tty-based time stamp file is stale and will ignore it. Administrators should not rely on this feature as it is not universally available.

As seen here, this behavior has persisted for a long time.

If you want to change this, use visudo to set the timestamp_timeout option.

Related Question