Linux – How does sudo remember you already entered root’s password

linuxsudo

When using sudo on Linux, it asks for root password, but only the first time you run it. If you run another sudo command, it remember you already entered the password previously and doesn't ask for it:

thomas@ubuntu:~$ sudo id
[sudo] password for thomas: ******
uid=0(root) gid=0(root) groups=0(root)
thomas@ubuntu:~$ sudo id
uid=0(root) gid=0(root) groups=0(root)

How does sudo do it? Where is this information stored? My idea is that it remembers the terminal id (like pts/1), but where is this stored? The first sudo process is ended when it's done with the command, right?

I know sudo is a setuid program, so it has root's privileges all the time, but I still can't think of a good place to store an information that a user has already entered a password. Is there some daemon process involved?

Best Answer

Where is this information stored?

It's probably under /var/db/sudo or /var/run/sudo and you'll probably find directories of usernames with files under them ordered by tty number.

The actual privileges granted, including how long the sessions lasts before you have to enter your password again depends on how sudoers is setup. There's settings to grant/restrict a lot of different things, but those aren't stored in these files which only store timestamps. How long a session lasts, or when sudo needs to prompt for your password again, is determined by a delta of current time and the session timestamp in this directory, and how long sudo is setup to allow a session to last.

Related Solutions

Fedora – Prompt for sudo password rather than give access error

You could use the python script thefuck available on github. This script is designed to correct the last command you ran incorrectly for a few use cases and forgetting to use sudo is one of them.

From their examples:

➜ apt-get install vim
E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)
E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?

➜ fuck
sudo apt-get install vim
[sudo] password for nvbn:
Reading package lists... Done

This behavior is from the sudo rule you can enable:

sudo – prepends sudo to previous command if it failed because of permissions;

If this doesn't work out of the box for dnf it should be straightforward to create a custom rule to do so.

Sudo Command – Which User’s Password Does Sudo Ask For?

In its most common configuration, sudo asks for the password of the user running sudo (as you say, the user corresponding to the process’ real user id). The point of sudo is to grant extra privileges to specific users (as determined by the configuration in sudoers), without those users having to provide any other authentication than their own. However, sudo does check that the user running sudo really is who they claim to be, and it does that by asking for their password (or whatever authentication mechanism is set up for sudo, usually using PAM — so this could involve a fingerprint, or two-factor authentication etc.).

sudo doesn’t necessarily grant the right to become root, it can grant a variety of privileges. Any user allowed to become root by sudoers can do so using only their own authentication; but a user not allowed to, can’t (at least, not by using sudo). This isn’t enforced by Linux itself, but by sudo (and its authentication setup).
sudo does indeed ask for the password after it’s started running; it can’t do otherwise (i.e. it can’t do anything before it starts running). The point of sudo asking for the password, even though it’s root, is to verify the running user’s identity (in its typical configuration).

Best Answer

Related Solutions

Fedora – Prompt for sudo password rather than give access error

Sudo Command – Which User’s Password Does Sudo Ask For?

Related Question