27

Is there a way through which I can make the sudo command give me permissions for a longer period than its default time?

It can be a pain having to keep entering the sudo password, when requiring the installation of many packages, so it would be nice if there exists a command or configuration that can be done to affect it usage period.

muru
  • 197,895
  • 55
  • 485
  • 740
TellMeWhy
  • 17,484
  • 3
    So, nobody uses su any more? Ever? – Mr Lister Sep 06 '15 at 21:26
  • 9
    @MrLister sudo -i and you have a root shell, ready for anyone to help shoothing themselves in the feet during as much time one like... – Rmano Sep 06 '15 at 22:04
  • 1
    @DevRobot, do you have a source for that? I find it kind of hard to believe that Canonical would remove such an important command, and I can't find anything about it on google. – DJMcMayhem Sep 06 '15 at 22:33
  • @DJMcMayhem All of the Ubuntu installs I've ever used, at least by default, had disabled the ability to use su to get a root shell. I think you can enable (or install?) it manually, though. You can also just use sudo -i or sudo bash or similar. – reirab Sep 07 '15 at 05:44
  • 9
    @DevRobot su needs root to have a password. By default, Ubuntu's root user doesn't have a password. Therefore, you can't su to root. su is working as intended here. Try with any user who has a password. – muru Sep 07 '15 at 06:37
  • 3
    @muru sudo su works just fine, though a bit repetitive. – coteyr Sep 07 '15 at 08:34
  • 1
    @coteyr sudo su works because su is executed as root, and the default Ubuntu configuration allows root to su without passwords. – muru Sep 07 '15 at 08:36
  • kinda what I meant. It's not that su is disabled, just that you have to execute it as root, instead of typing your root password (which by default doesn't exist) – coteyr Sep 07 '15 at 08:37
  • @MrLister Ubuntu (and possibly Debian) and it's derivatives usually don't have a root-password set (or rather it's set to something random and/or the root-account is blocked), so you can't use su to become root. It's a security measure to prevent the root-user from logging-in directly. Using sudo (and su) from a normal user-account, logs information about who became root. – Baard Kopperud Sep 07 '15 at 09:39
  • I had to install Debian 8 a few weeks ago and it does have an active root user. The installation asks for both the root password and the main user password. And after a fresh install, the user isn't even in sudoers. – Mr Lister Sep 07 '15 at 09:43
  • @MrLister not only is the user not in sudoers, but sudo isn't even installed! You have to su; apt-get install sudo – DJMcMayhem Sep 07 '15 at 13:07
  • @BaardKopperud It's just Ubuntu (and derivatives,) as far as I know. Normal Debian does have a normally-configured root user. – reirab Sep 07 '15 at 19:25
  • related: Making a window for a bash script password through Python. See my comments there – jfs Sep 08 '15 at 17:22

8 Answers8

28

Behavior of sudo is configured in /etc/sudoers file. There is timestamp_timeout option responsible for reprompting the user for password after specific amount of time.

From man sudoers

timestamp_timeout
                       Number of minutes that can elapse before sudo will ask
                       for a passwd again.  The timeout may include a frac‐
                       tional component if minute granularity is insufficient,
                       for example 2.5.  The default is 15.  Set this to 0 to
                       always prompt for a password.  If set to a value less
                       than 0 the user's time stamp will never expire.

To alter that setting do the following:

  1. In terminal run sudo visudo. visudo is used specifically to edit /etc/sudoers file and by default uses nano text editor.

  2. Find the lines starting with Defaults. Add the following line 

    Defaults        timestamp_timeout=x

    where x is the amount of minutes you want between reprompts

  3. Save the file with Ctrl + O

A.B.
  • 90,397
Sergiy Kolodyazhnyy
  • 105,154
  • 20
  • 279
  • 497
13

From man sudoers:

timestamp_timeout
                       Number of minutes that can elapse before sudo will ask
                       for a passwd again.  The timeout may include a frac‐
                       tional component if minute granularity is insufficient,
                       for example 2.5.  The default is 15.  Set this to 0 to
                       always prompt for a password.  If set to a value less
                       than 0 the user's time stamp will never expire.  This
                       can be used to allow users to create or delete their
                       own time stamps via “sudo -v” and “sudo -k” respec‐
                       tively.

As you can see, the default timeout of sudo is 15 minutes. You can change this value in /etc/sudoers.

You don't directly edit /etc/sudoers, instead use visudo to do it.

From man visudo:

     visudo edits the sudoers file in a safe fashion, analogous to vipw(8).
     visudo locks the sudoers file against multiple simultaneous edits, pro‐
     vides basic sanity checks, and checks for parse errors.  If the sudoers
     file is currently being edited you will receive a message to try again
     later.

So, type sudo visudo in a terminal, which will open the /etc/sudoers file in nano text-editor.

Look for this line:

Defaults    env_reset

And add timestamp_timeout=X where X is the time you want to set in minutes.

So as an example:

Defaults    env_reset,timestamp_timeout=5

If you specify 0, you will always be asked the password. If you specify a negative value, the timeout will never expire.

Once done, save and exit.

See RootSudoTimeout

Ron
  • 20,638
8

Try this .

  1. Run the following command in a Terminal:

    sudo visudo

  2. Scroll down to the line that looks like this:

    Defaults        env_reset

  3. Change it to for example: 

    Defaults        env_reset,timestamp_timeout=30

Change 30 to the time, in minutes, that you want it to wait before it times out. You can also change it to 0 if you want a password prompt every time you run sudo, or -1 if you never want a password prompt Press Ctrl+X to finish editing, Y to save changes, and Enter to exit.

Here is source: http://lifehacker.com/make-sudo-sessions-last-longer-in-linux-1221545774

muru
  • 197,895
  • 55
  • 485
  • 740
Michał Żywiecki
  • 411
5

You can edit the /etc/sudoers file (with sudo visudo: be careful) and add a line like

Defaults:myname timestamp_timeout=15

where myname is your user id. The timeout value is in minutes. You can use a value of -1 to never expire, and then type sudo -k to kill the authentication, so you need a password again.

Or you can add an entry to say a specific command does not need a password at all.

Ron
  • 20,638
meuh
  • 3,211
5

I can't believe that the simplest command:

sudo -s

is not mentioned here. The "-s" switch gives you a console with root permissions, that last until you exit it. No need to hazle around with the default settings.

Oliver Friedrich
  • 500
  • 1
    Why is this down voted? – coteyr Sep 07 '15 at 08:36
  • 3
    I didn't downvote, but this defeats one advantage of using sudo: every single command is logged (so you can see what you did). You lose that logging when you open a root shell. – guntbert Sep 09 '15 at 19:27
  • 1
    @guntbert surely is every command logged, but in the history of the root user. – Oliver Friedrich Sep 11 '15 at 08:49
  • @BeowulfOF not necessarily - the bash history is something completely different than the system log. – guntbert Sep 11 '15 at 12:40
  • Every process that logs to syslog if executed via sudo does also log to syslog if executed via rootshell - your comment does not make sense. The only difference by using sudo -s is, that the shell history (bash-history) of the user won't get commands written to - but root's does. – Oliver Friedrich Sep 20 '15 at 08:24
  • @BeowulfOF I didn't say syslog - have a look at /var/log/auth.log after you used a sequence of single sudo commands and again after you executed them from a root shell, obtained by sudo -s or sudo -i. – guntbert Oct 08 '15 at 14:09
  • 1
    Really, @guntbert, if you use the auth log like this, you have different problems. – Oliver Friedrich Oct 08 '15 at 14:33
  • @BeowulfOF now you made me curious, which ones might that be? – guntbert Oct 08 '15 at 14:36
  • This will run every command under sudo credentials, something one would better avoir. This is very different from not asking password each time sudo is explicitely called. – psychoslave Apr 01 '19 at 11:52
4

After seeing one too many questions from users who modified config files and were confused about why their changes were overwritten after a package upgrade, I'll note that if you want to modify timestamp_timeout, it is better to do it by creating a file in /etc/sudoers.d rather than modify /etc/sudoers directly.

So you should do

sudo visudo -f /etc/sudoers.d/timeout

(the name of the file can be whatever you want as long as it does not contain a period (.) nor end with a tilde (~)). Instead of opening /etc/sudoers in your editor of choice, it will open /etc/sudoers.d/timeout, normally as an empty file since it does not exist. Put your

Defaults timestamp_timeout=X

in it, and save as usual. Then if a new version of /etc/sudoers comes out, you don't have to choose between installing the newer version or keeping your changes--you will automatically have both.

fkraiem
  • 12,555
  • 4
  • 35
  • 40
1

If you are looking for a solution that doesn't change the configuration file, for example when you want the token to last longer for a specific session, or that it applies only after an explicit action, you might try the following:

# Work as is with Bash 4.1.2(1)-release and later, this might require some adaptation for other shells
(while [ true ]; do sudo -v; sleep $((60*4)); done)&

Basically the previous code refresh the sudo token every 4 minutes, through a process launched in background.

Indeed, according to the sudo manual: "the default password prompt timeout for the sudoers security policy is 5 minutes." So depending on the system specific policy, you might tweak the amount of time the loop pass sleeping between two cycles.

psychoslave
  • 181
  • man sudo for -v gives: Update the user's cached credentials, authenticating the user if necessary. For the sudoers plugin, this extends the sudo timeout for another 15 minutes by default, but does not run a command. So 15 minutes it seems. – pallgeuer Jan 27 '22 at 08:36
  • I think the password prompt timeout is if you execute sudo and get a password prompt and wait 5 minutes before actually typing in the password. Then it fails in any case – pallgeuer Jan 27 '22 at 08:37
1

All of the other answers so far seem to center around changing the default timeout for how long before you have to type your password again with sudo. However, if you want to just be able to run commands as root without prepending every command with sudo, you can get a root shell with:

sudo -i

or

sudo bash

or

sudo <your preferred shell here>

While all of these do just start a single process as root, the single process in question just so happens to be a shell that will allow you to start as many other processes as you like as root without any further need to type sudo or a password. :)

Of course, with great power comes great responsibility, don't do stupid stuff, etc.

muru
  • 197,895
  • 55
  • 485
  • 740
reirab
  • 142
  • 5