When applying sudo
to a command which doesn't actually need sudo
,
-
sometimes it doesn't ask me for my password. For example under my
$HOME
,sudo ls
. -
But I remember that it does for some other command, though I forget which one.
So I was wondering how sudo
decides whether to ask for a password, when given a command which doesn't actually need sudo
? Is there some rule in /etc/sudoers
specifying that?
My real problem is that when I use du
, it sometimes shows "permission denied" for some directories, and sometimes not, probably because I don't have permission on some directories? I apply sudo
to du
regardless, and thought I would be asked for a password regardless, but actually not on my own directories.
Best Answer
In a typical configuration, the command is irrelevant. You need to enter your password the first time you use sudo, and you don't need your password in that particular shell for the next 15 minutes.
From the computer's perspective, there is no such thing as a “command that needs sudo”. Any user can attempt to run any command. The outcome may be nothing but an error message such as “Permission denied” or “No such file or directory”, but it's always possible to run the command.
For example, if you run
du
on a directory tree that has contents that you don't have permission to access, you'll get permission errors. That's what “permission denied” means. If you runsudo du
, sudo runsdu
as root, so you don't get permission errors (that's the point of the root account: root¹ always has permission). When you runsudo du
,du
runs as root, andsudo
is not involved at all afterdu
has started. Whether du encounters permission errors is completely irrelevant to how sudo operates.There are commands that need sudo to do something useful. Usefulness is a human concept. You need to use sudo (or some other methods to run the command as root) if the command does something useful when run as root but not when run under your account.
Whether sudo asks for your password depends on two things.
authenticate
option to false and having an applicable rule with theNOPASSWD
tag.timeout
option). You need to have entered the password in the same terminal (so that if you remain logged in on one terminal then leave that terminal unattended and then use another terminal, someone can't take advantage of this to use sudo on the other terminal — but this is a very weak advantage and it can be turned off by setting thetty_tickets
option to false).¹ nearly, but that's beyond the scope of this thread.