How does sudo decide whether to ask for a password, when given a command which doesn’t actually need `sudo`

passwordsudo

When applying sudo to a command which doesn't actually need sudo,

sometimes it doesn't ask me for my password. For example under my $HOME, sudo ls.
But I remember that it does for some other command, though I forget which one.

So I was wondering how sudo decides whether to ask for a password, when given a command which doesn't actually need sudo? Is there some rule in /etc/sudoers specifying that?

My real problem is that when I use du, it sometimes shows "permission denied" for some directories, and sometimes not, probably because I don't have permission on some directories? I apply sudo to du regardless, and thought I would be asked for a password regardless, but actually not on my own directories.

Best Answer

In a typical configuration, the command is irrelevant. You need to enter your password the first time you use sudo, and you don't need your password in that particular shell for the next 15 minutes.

From the computer's perspective, there is no such thing as a “command that needs sudo”. Any user can attempt to run any command. The outcome may be nothing but an error message such as “Permission denied” or “No such file or directory”, but it's always possible to run the command.

For example, if you run du on a directory tree that has contents that you don't have permission to access, you'll get permission errors. That's what “permission denied” means. If you run sudo du, sudo runs du as root, so you don't get permission errors (that's the point of the root account: root¹ always has permission). When you run sudo du, du runs as root, and sudo is not involved at all after du has started. Whether du encounters permission errors is completely irrelevant to how sudo operates.

There are commands that need sudo to do something useful. Usefulness is a human concept. You need to use sudo (or some other methods to run the command as root) if the command does something useful when run as root but not when run under your account.

Whether sudo asks for your password depends on two things.

Based on the configuration, sudo decides whether you need to be authenticated. By default, sudo requires a password. This can be turned off in several ways, including setting the authenticate option to false and having an applicable rule with the NOPASSWD tag.
If sudo requires your password, it may be content to use a cached value. That's ok because the reason sudo needs your password is not to authenticate who's calling it (sudo knows what user invoked it), but to confirm that it's still you at the commands and not somebody who took control over your keyboard. By default, sudo is willing to believe that you're still at the commands if you entered your password less than 15 minutes ago (this can be changed with the timeout option). You need to have entered the password in the same terminal (so that if you remain logged in on one terminal then leave that terminal unattended and then use another terminal, someone can't take advantage of this to use sudo on the other terminal — but this is a very weak advantage and it can be turned off by setting the tty_tickets option to false).

¹ _{nearly, but that's beyond the scope of this thread.}

Best Answer

Related Solutions

Linux – How does sudo remember you already entered root’s password

Ssh – sudo: don’t ask password when logged in with ssh key

Related Question