Sudo – How to Force Sudo to Prompt for a Password

passwordsudo

If I do the following:

sudo su -
//enter password
exit
exit
//login again straight away
sudo su -

The second invocation of sudo does not request a password because even though I have logged out again, I am still within some time limit meaning that I do not need to be prompted for my password again.

Because I am trying out some new privs to make sure they work, this is really slowing me down while I wait for the timeout to happen.

Is there a command I can run to reset the timeout?

I don't want to change the timeout or affect other users, by the way!

Best Answer

sudo -k Will kill the timeout timestamp. You can even put the command afterwards, like sudo -k test_my_privileges.sh

From man sudo:

-K The -K (sure kill) option is like -k except that it removes the user's time stamp entirely and may not be used in conjunction with a command or other option. This option does not require a password.

-k When used by itself, the -k (kill) option to sudo invalidates the user's time stamp by setting the time on it to the Epoch. The next time sudo is run a password will be required. This option does not require a password and was added to allow a user to revoke sudo permissions from a .logout file.

You can also change it permanently. From man sudoers:

timestamp_timeout

Number of minutes that can elapse before sudo will ask for a passwd again. The timeout may include a fractional component if minute granularity is insufficient, for example 2.5. The default is 5. Set this to 0 to always prompt for a password. If set to a value less than 0 the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via sudo -v and sudo -k respectively.

Related Solutions

Bash – If I sudo execute a Bash script file, will all commands inside the Bash script be executed as sudo as well

Q#1: Will I only be prompted for a sudo password once, or will I need to enter the sudo password on each invocation of a command inside the script, that needs sudo permission?

Yes, once, for the duration of the running of your script.

NOTE: When you provide credentials to sudo, the authentication is typically good for 5 minutes within the shell where you typed the password. Additionally any child processes that get executed from this shell, or any script that runs in the shell (your case) will also run at the elevated level.

Q#2: is there still a possibility that the sudo permissions will time out (if, for instance, a particular command takes long enough to exceed the sudo timeout)? Or will the initial sudo password entrance last for the complete duration of whole script?

No they will not timeout within the script. Only if you interactively were typing them within the shell where the credentials were provided. Every time sudo is executed within this shell, the timeout is reset. But in your case they credentials will remain so long as the script is executing and running commands from within it.

excerpt from sudo man page

This limit is policy-specific; the default password prompt timeout for the sudoers security policy is 5 minutes.

Change Default Sudo Password Timeout – How to Guide

man sudoers says:

Once a user has been authenticated, [...] the user may then use sudo without a password for a short period of time (5 minutes unless overridden by the timestamp_timeout option).

To change the timeout, run, sudo visudo and add the line:

Defaults        timestamp_timeout=30

where 30 is the new timeout in minutes.

To always require a password, set to 0. To set an infinite timeout, set the value to be negative.

To totally disable the prompt for a password for user ravi:

Defaults:ravi      !authenticate

Best Answer

Related Solutions

Bash – If I sudo execute a Bash script file, will all commands inside the Bash script be executed as sudo as well

Change Default Sudo Password Timeout – How to Guide

Related Question