Running sudo without updating cached credentials
One of the recurring questions at conferences was whether there is a way to check cached sudo credentials without updating them. Version 1.9.12 of sudo introduces the -N
option which makes this possible, and also allows running any commands without updating the cached credentials.
The -N
option was introduced in sudo version 1.9.12. There is a good chance that your choice of operating system still has an older version of sudo. You can easily compile sudo from source, however, using pre-built binary packages is even easier. Luckily the sudo website has a large collection of easy to use binary packages for many popular operating systems.
-
Stable release packages: https://www.sudo.ws/getting/packages/
-
Development release packages: https://www.sudo.ws/getting/beta_packages/
By default, when you successfully enter your password at the beginning of a sudo session, you do not have to enter the password when you run sudo again within five minutes. When you run another command through sudo, the five minute timer starts again. You can change this timeout in the sudoers file using the timestamp_timeout option. It expects the number of minutes as a parameter. You can completely disable credential caching by setting the number of minutes to zero.
Many sites disable credential caching, considering even this small window of time a security risk. If you are anxious that cached credentials might cause any trouble you can still enjoy its benefits. Enter a few more sudo commands without additional password authentication, and invalidate cached credentials when right after you finished using sudo. You can use the -k
or -K
options, check the sudo manual, which suits your use case better.
You can check if your credentials are cached using:
sudo -nv
It will return an error message if your credentials are not cached. However, if they are cached you also inadvertently extend the timeout to five minutes (or the defined timeout) again.
When using the -N
option of sudo, cached credentials are not updated. Which means that using:
sudo -Nnv
Does not extend the timeout anymore. Here is a very simple Bash script to check the status of cached credentials, together with its output:
czanik@czplaptop:~> cat bin/canisudo.sh
#!/bin/bash
if sudo -Nnv ; then
echo "I can sudo :-)"
else
echo "Oops, sudo timed out :/"
fi
czanik@czplaptop:~> canisudo.sh
sudo: a password is required
Oops, sudo timed out :/
czanik@czplaptop:~> sudo id
czanik's password:
uid=0(root) gid=0(root) groups=0(root)
czanik@czplaptop:~> canisudo.sh
I can sudo :-)
You can also use the -N
option in conjunction with running commands. In this case if the credentials are not cached, you have to enter your password each time you run sudo:
czanik@czplaptop:~> sudo -N id
czanik's password:
uid=0(root) gid=0(root) groups=0(root)
czanik@czplaptop:~> sudo -N id
czanik's password:
uid=0(root) gid=0(root) groups=0(root)
There are various zsh and bash scripts floating on the Internet which allow you to check the status of cached credentials. Some can even put this crucial information in your command prompt. If you use any of these, you can now update the scripts to use -N
, so the timeout is not extended every time you check it.
If you would like to be notified about new posts and sudo news, sign up for the sudo blog announcement mailing list.