If I do the following:
sudo su - //enter password exit exit //login again straight away sudo su -
The second invocation of sudo does not request a password because even though I have logged out again, I am still within some time limit meaning that I do not need to be prompted for my password again.
Because I am trying out some new privs to make sure they work, this is really slowing me down while I wait for the timeout to happen.
Is there a command I can run to reset the timeout?
I don’t want to change the timeout or affect other users, by the way!
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
sudo -k Will kill the timeout timestamp. You can even put the command afterwards, like sudo -k test_my_privileges.sh
From man sudo:
-K The -K (sure kill) option is like -k except that it removes the
user’s time stamp entirely and may not
be used in conjunction with a command
or other option. This option does not
require a password.-k When used by itself, the -k (kill) option to sudo invalidates the
user’s time stamp by setting the time
on it to the Epoch. The next time
sudo is run a password will be
required. This option does not
require a password and was added to
allow a user to revoke sudo
permissions from a .logout file.
When used in conjunction with a command or an option that may
require a password, this option will cause sudo
to ignore the user’s
cached credentials. As a result, sudo will prompt for a password
(if one is required by the security policy) and will not update the
user’s cached credentials.
You can also change it permanently.
From man sudoers:
timestamp_timeout
Number of minutes that can elapse before sudo
will ask for a passwd again. The
timeout may include a fractional
component if minute granularity is insufficient, for example 2.5. The
default is 5. Set this to 0 to always
prompt for a password. If set to a
value less than 0 the user’s timestamp will never expire.
This can be used to allow users to
create or delete their own timestamps
via sudo -v and sudo -k respectively.
Method 2
Shawn’s answer is great but there is an additional configuration option that might be useful in this situation.
From man sudoers:
tty_tickets
If set, users must authenticate on a per-tty basis. With this flag enabled, sudo will use a file named for the tty the user is logged in on in the user’s time stamp directory. If disabled, the time stamp of the directory is used instead.
This flag is on by default.
From man sudo:
When the tty_tickets option is enabled in sudoers, the time stamp has per-tty granularity but still may outlive the user’s session. On Linux systems where the devpts filesystem is used, Solaris systems with the devices filesystem, as well as other systems that utilize a devfs filesystem that monotonically increase the inode number of devices as they are created (such as Mac OS X), sudo is able to determine when a tty-based time stamp file is stale and will ignore it. Administrators should not rely on this feature as it is not universally available.
I think its relatively new. If your system supports it, if you logout then login, sudo will request your password again. (I have sudo -K in my shells logout script too.)
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0