How does sudo decide whether to ask for a password, when given a command which doesn't actually need `sudo`?
Clash Royale CLAN TAG#URR8PPP
up vote
10
down vote
favorite
When applying sudo
to a command which doesn't actually need sudo
,
sometimes it doesn't ask me for my password. For example under my
$HOME
,sudo ls
.But I remember that it does for some other command, though I forget which one.
So I was wondering how sudo
decides whether to ask for a password, when given a command which doesn't actually need sudo
? Is there some rule in /etc/sudoers
specifying that?
My real problem is that when I use du
, it sometimes shows "permission denied" for some directories, and sometimes not, probably because I don't have permission on some directories? I apply sudo
to du
regardless, and thought I would be asked for a password regardless, but actually not on my own directories.
sudo password
add a comment |Â
up vote
10
down vote
favorite
When applying sudo
to a command which doesn't actually need sudo
,
sometimes it doesn't ask me for my password. For example under my
$HOME
,sudo ls
.But I remember that it does for some other command, though I forget which one.
So I was wondering how sudo
decides whether to ask for a password, when given a command which doesn't actually need sudo
? Is there some rule in /etc/sudoers
specifying that?
My real problem is that when I use du
, it sometimes shows "permission denied" for some directories, and sometimes not, probably because I don't have permission on some directories? I apply sudo
to du
regardless, and thought I would be asked for a password regardless, but actually not on my own directories.
sudo password
15
Deciding whether a program would attempt to do something that only root can do, or access a file that the invoking user is forbidden to access, without actually running the program, is the Halting Problem in disguise. So you can be sure that's not what sudo is doing.
â zwol
May 9 at 4:39
2
+1 because although the question is based on a misconception, the symptoms are clearly explained, and it has one unambiguous answer.
â dcorking
May 9 at 13:34
add a comment |Â
up vote
10
down vote
favorite
up vote
10
down vote
favorite
When applying sudo
to a command which doesn't actually need sudo
,
sometimes it doesn't ask me for my password. For example under my
$HOME
,sudo ls
.But I remember that it does for some other command, though I forget which one.
So I was wondering how sudo
decides whether to ask for a password, when given a command which doesn't actually need sudo
? Is there some rule in /etc/sudoers
specifying that?
My real problem is that when I use du
, it sometimes shows "permission denied" for some directories, and sometimes not, probably because I don't have permission on some directories? I apply sudo
to du
regardless, and thought I would be asked for a password regardless, but actually not on my own directories.
sudo password
When applying sudo
to a command which doesn't actually need sudo
,
sometimes it doesn't ask me for my password. For example under my
$HOME
,sudo ls
.But I remember that it does for some other command, though I forget which one.
So I was wondering how sudo
decides whether to ask for a password, when given a command which doesn't actually need sudo
? Is there some rule in /etc/sudoers
specifying that?
My real problem is that when I use du
, it sometimes shows "permission denied" for some directories, and sometimes not, probably because I don't have permission on some directories? I apply sudo
to du
regardless, and thought I would be asked for a password regardless, but actually not on my own directories.
sudo password
edited May 9 at 10:55
psmears
43528
43528
asked May 8 at 14:09
Tim
22.6k63222401
22.6k63222401
15
Deciding whether a program would attempt to do something that only root can do, or access a file that the invoking user is forbidden to access, without actually running the program, is the Halting Problem in disguise. So you can be sure that's not what sudo is doing.
â zwol
May 9 at 4:39
2
+1 because although the question is based on a misconception, the symptoms are clearly explained, and it has one unambiguous answer.
â dcorking
May 9 at 13:34
add a comment |Â
15
Deciding whether a program would attempt to do something that only root can do, or access a file that the invoking user is forbidden to access, without actually running the program, is the Halting Problem in disguise. So you can be sure that's not what sudo is doing.
â zwol
May 9 at 4:39
2
+1 because although the question is based on a misconception, the symptoms are clearly explained, and it has one unambiguous answer.
â dcorking
May 9 at 13:34
15
15
Deciding whether a program would attempt to do something that only root can do, or access a file that the invoking user is forbidden to access, without actually running the program, is the Halting Problem in disguise. So you can be sure that's not what sudo is doing.
â zwol
May 9 at 4:39
Deciding whether a program would attempt to do something that only root can do, or access a file that the invoking user is forbidden to access, without actually running the program, is the Halting Problem in disguise. So you can be sure that's not what sudo is doing.
â zwol
May 9 at 4:39
2
2
+1 because although the question is based on a misconception, the symptoms are clearly explained, and it has one unambiguous answer.
â dcorking
May 9 at 13:34
+1 because although the question is based on a misconception, the symptoms are clearly explained, and it has one unambiguous answer.
â dcorking
May 9 at 13:34
add a comment |Â
3 Answers
3
active
oldest
votes
up vote
21
down vote
accepted
In a typical configuration, the command is irrelevant. You need to enter your password the first time you use sudo, and you don't need your password in that particular shell for the next 15 minutes.
From the computer's perspective, there is no such thing as a âÂÂcommand that needs sudoâÂÂ. Any user can attempt to run any command. The outcome may be nothing but an error message such as âÂÂPermission deniedâ or âÂÂNo such file or directoryâÂÂ, but it's always possible to run the command.
For example, if you run du
on a directory tree that has contents that you don't have permission to access, you'll get permission errors. That's what âÂÂpermission deniedâ means. If you run sudo du
, sudo runs du
as root, so you don't get permission errors (that's the point of the root account: rootù always has permission). When you run sudo du
, du
runs as root, and sudo
is not involved at all after du
has started. Whether du encounters permission errors is completely irrelevant to how sudo operates.
There are commands that need sudo to do something useful. Usefulness is a human concept. You need to use sudo (or some other methods to run the command as root) if the command does something useful when run as root but not when run under your account.
Whether sudo asks for your password depends on two things.
- Based on the configuration, sudo decides whether you need to be authenticated. By default, sudo requires a password. This can be turned off in several ways, including setting the
authenticate
option to false and having an applicable rule with theNOPASSWD
tag. - If sudo requires your password, it may be content to use a cached value. That's ok because the reason sudo needs your password is not to authenticate who's calling it (sudo knows what user invoked it), but to confirm that it's still you at the commands and not somebody who took control over your keyboard. By default, sudo is willing to believe that you're still at the commands if you entered your password less than 15 minutes ago (this can be changed with the
timeout
option). You need to have entered the password in the same terminal (so that if you remain logged in on one terminal then leave that terminal unattended and then use another terminal, someone can't take advantage of this to use sudo on the other terminal âÂÂàbut this is a very weak advantage and it can be turned off by setting thetty_tickets
option to false).
ù nearly, but that's beyond the scope of this thread.
There might be files which have the executable bit set just for root, not for others. This might be fall unter "need root to execute". (Just nitpicking.)
â Paà Âlo Ebermann
May 8 at 21:45
@Paà ÂloEbermann I wrote âÂÂany user can attempt to run any commandâ to avoid nitpicking about that (rare) case. There's always a nitpicker :(
â Gilles
May 8 at 22:23
add a comment |Â
up vote
45
down vote
sudo
doesnâÂÂt know whether the command itâÂÂs asked to run needs to run as some other user (typically root), all it knows is its configuration. That determines which users are allowed to run sudo
, with what users as âÂÂtargetsâÂÂ, and for what commands; it also determines whether a password is needed, which one, and whether to keep an authentication token around.
If youâÂÂre using the default Debian configuration, the latter is most likely whatâÂÂs involved here: sudo
will ask you for your password the first time you use it in any given terminal, then it will keep an authentication token for a certain amount of time. If you re-use sudo
in the same terminal within that timeframe, it wonâÂÂt prompt you for a password.
Thanks. Do you meansudo du /path/to/some/dir
should either always need my password, or never, regardless of/path/to/some/dir
?
â Tim
May 8 at 14:52
12
Yes. It will always need your password (or not). Clearly, if it needs your password but has already stored it in the cache, it won't prompt you to enter it.
â dr01
May 8 at 14:55
5
Strictly speaking it could depend on the path, because/etc/sudoers
can specify commands and their arguments. However if you havenâÂÂt added anything like that tosudoers
(and if you have, I should hope youâÂÂd be aware of it), the arguments wonâÂÂt matter (nor will the command if you have general access to root viasudo
).
â Stephen Kitt
May 8 at 18:04
19
sudo
does not store your password in the cache, only the information that your identity has already been verified once with a password check. Sincesudo
is a setuid-root program, it already has all the permissions it needs to run anything as anyone - but it is trusted to only allow the users to use it exactly as specified in thesudoers
file, and to reject all other attempts to use it. That's why it is important thatsudo
is such a small and very well studied program.
â telcoM
May 8 at 20:10
add a comment |Â
up vote
6
down vote
to a command which doesn't actually need sudo
It's not that a command needs or needs not sudo. When you run
sudo -u user command
the system executes command
as the user
.
Whether the invocation is successful or not, and whether a password is asked or not, depends on the security policy sudoers
(usually configured in /etc/sudoers
).
add a comment |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
21
down vote
accepted
In a typical configuration, the command is irrelevant. You need to enter your password the first time you use sudo, and you don't need your password in that particular shell for the next 15 minutes.
From the computer's perspective, there is no such thing as a âÂÂcommand that needs sudoâÂÂ. Any user can attempt to run any command. The outcome may be nothing but an error message such as âÂÂPermission deniedâ or âÂÂNo such file or directoryâÂÂ, but it's always possible to run the command.
For example, if you run du
on a directory tree that has contents that you don't have permission to access, you'll get permission errors. That's what âÂÂpermission deniedâ means. If you run sudo du
, sudo runs du
as root, so you don't get permission errors (that's the point of the root account: rootù always has permission). When you run sudo du
, du
runs as root, and sudo
is not involved at all after du
has started. Whether du encounters permission errors is completely irrelevant to how sudo operates.
There are commands that need sudo to do something useful. Usefulness is a human concept. You need to use sudo (or some other methods to run the command as root) if the command does something useful when run as root but not when run under your account.
Whether sudo asks for your password depends on two things.
- Based on the configuration, sudo decides whether you need to be authenticated. By default, sudo requires a password. This can be turned off in several ways, including setting the
authenticate
option to false and having an applicable rule with theNOPASSWD
tag. - If sudo requires your password, it may be content to use a cached value. That's ok because the reason sudo needs your password is not to authenticate who's calling it (sudo knows what user invoked it), but to confirm that it's still you at the commands and not somebody who took control over your keyboard. By default, sudo is willing to believe that you're still at the commands if you entered your password less than 15 minutes ago (this can be changed with the
timeout
option). You need to have entered the password in the same terminal (so that if you remain logged in on one terminal then leave that terminal unattended and then use another terminal, someone can't take advantage of this to use sudo on the other terminal âÂÂàbut this is a very weak advantage and it can be turned off by setting thetty_tickets
option to false).
ù nearly, but that's beyond the scope of this thread.
There might be files which have the executable bit set just for root, not for others. This might be fall unter "need root to execute". (Just nitpicking.)
â Paà Âlo Ebermann
May 8 at 21:45
@Paà ÂloEbermann I wrote âÂÂany user can attempt to run any commandâ to avoid nitpicking about that (rare) case. There's always a nitpicker :(
â Gilles
May 8 at 22:23
add a comment |Â
up vote
21
down vote
accepted
In a typical configuration, the command is irrelevant. You need to enter your password the first time you use sudo, and you don't need your password in that particular shell for the next 15 minutes.
From the computer's perspective, there is no such thing as a âÂÂcommand that needs sudoâÂÂ. Any user can attempt to run any command. The outcome may be nothing but an error message such as âÂÂPermission deniedâ or âÂÂNo such file or directoryâÂÂ, but it's always possible to run the command.
For example, if you run du
on a directory tree that has contents that you don't have permission to access, you'll get permission errors. That's what âÂÂpermission deniedâ means. If you run sudo du
, sudo runs du
as root, so you don't get permission errors (that's the point of the root account: rootù always has permission). When you run sudo du
, du
runs as root, and sudo
is not involved at all after du
has started. Whether du encounters permission errors is completely irrelevant to how sudo operates.
There are commands that need sudo to do something useful. Usefulness is a human concept. You need to use sudo (or some other methods to run the command as root) if the command does something useful when run as root but not when run under your account.
Whether sudo asks for your password depends on two things.
- Based on the configuration, sudo decides whether you need to be authenticated. By default, sudo requires a password. This can be turned off in several ways, including setting the
authenticate
option to false and having an applicable rule with theNOPASSWD
tag. - If sudo requires your password, it may be content to use a cached value. That's ok because the reason sudo needs your password is not to authenticate who's calling it (sudo knows what user invoked it), but to confirm that it's still you at the commands and not somebody who took control over your keyboard. By default, sudo is willing to believe that you're still at the commands if you entered your password less than 15 minutes ago (this can be changed with the
timeout
option). You need to have entered the password in the same terminal (so that if you remain logged in on one terminal then leave that terminal unattended and then use another terminal, someone can't take advantage of this to use sudo on the other terminal âÂÂàbut this is a very weak advantage and it can be turned off by setting thetty_tickets
option to false).
ù nearly, but that's beyond the scope of this thread.
There might be files which have the executable bit set just for root, not for others. This might be fall unter "need root to execute". (Just nitpicking.)
â Paà Âlo Ebermann
May 8 at 21:45
@Paà ÂloEbermann I wrote âÂÂany user can attempt to run any commandâ to avoid nitpicking about that (rare) case. There's always a nitpicker :(
â Gilles
May 8 at 22:23
add a comment |Â
up vote
21
down vote
accepted
up vote
21
down vote
accepted
In a typical configuration, the command is irrelevant. You need to enter your password the first time you use sudo, and you don't need your password in that particular shell for the next 15 minutes.
From the computer's perspective, there is no such thing as a âÂÂcommand that needs sudoâÂÂ. Any user can attempt to run any command. The outcome may be nothing but an error message such as âÂÂPermission deniedâ or âÂÂNo such file or directoryâÂÂ, but it's always possible to run the command.
For example, if you run du
on a directory tree that has contents that you don't have permission to access, you'll get permission errors. That's what âÂÂpermission deniedâ means. If you run sudo du
, sudo runs du
as root, so you don't get permission errors (that's the point of the root account: rootù always has permission). When you run sudo du
, du
runs as root, and sudo
is not involved at all after du
has started. Whether du encounters permission errors is completely irrelevant to how sudo operates.
There are commands that need sudo to do something useful. Usefulness is a human concept. You need to use sudo (or some other methods to run the command as root) if the command does something useful when run as root but not when run under your account.
Whether sudo asks for your password depends on two things.
- Based on the configuration, sudo decides whether you need to be authenticated. By default, sudo requires a password. This can be turned off in several ways, including setting the
authenticate
option to false and having an applicable rule with theNOPASSWD
tag. - If sudo requires your password, it may be content to use a cached value. That's ok because the reason sudo needs your password is not to authenticate who's calling it (sudo knows what user invoked it), but to confirm that it's still you at the commands and not somebody who took control over your keyboard. By default, sudo is willing to believe that you're still at the commands if you entered your password less than 15 minutes ago (this can be changed with the
timeout
option). You need to have entered the password in the same terminal (so that if you remain logged in on one terminal then leave that terminal unattended and then use another terminal, someone can't take advantage of this to use sudo on the other terminal âÂÂàbut this is a very weak advantage and it can be turned off by setting thetty_tickets
option to false).
ù nearly, but that's beyond the scope of this thread.
In a typical configuration, the command is irrelevant. You need to enter your password the first time you use sudo, and you don't need your password in that particular shell for the next 15 minutes.
From the computer's perspective, there is no such thing as a âÂÂcommand that needs sudoâÂÂ. Any user can attempt to run any command. The outcome may be nothing but an error message such as âÂÂPermission deniedâ or âÂÂNo such file or directoryâÂÂ, but it's always possible to run the command.
For example, if you run du
on a directory tree that has contents that you don't have permission to access, you'll get permission errors. That's what âÂÂpermission deniedâ means. If you run sudo du
, sudo runs du
as root, so you don't get permission errors (that's the point of the root account: rootù always has permission). When you run sudo du
, du
runs as root, and sudo
is not involved at all after du
has started. Whether du encounters permission errors is completely irrelevant to how sudo operates.
There are commands that need sudo to do something useful. Usefulness is a human concept. You need to use sudo (or some other methods to run the command as root) if the command does something useful when run as root but not when run under your account.
Whether sudo asks for your password depends on two things.
- Based on the configuration, sudo decides whether you need to be authenticated. By default, sudo requires a password. This can be turned off in several ways, including setting the
authenticate
option to false and having an applicable rule with theNOPASSWD
tag. - If sudo requires your password, it may be content to use a cached value. That's ok because the reason sudo needs your password is not to authenticate who's calling it (sudo knows what user invoked it), but to confirm that it's still you at the commands and not somebody who took control over your keyboard. By default, sudo is willing to believe that you're still at the commands if you entered your password less than 15 minutes ago (this can be changed with the
timeout
option). You need to have entered the password in the same terminal (so that if you remain logged in on one terminal then leave that terminal unattended and then use another terminal, someone can't take advantage of this to use sudo on the other terminal âÂÂàbut this is a very weak advantage and it can be turned off by setting thetty_tickets
option to false).
ù nearly, but that's beyond the scope of this thread.
edited May 8 at 20:47
Shadur
18.4k64154
18.4k64154
answered May 8 at 19:36
Gilles
503k1189951522
503k1189951522
There might be files which have the executable bit set just for root, not for others. This might be fall unter "need root to execute". (Just nitpicking.)
â Paà Âlo Ebermann
May 8 at 21:45
@Paà ÂloEbermann I wrote âÂÂany user can attempt to run any commandâ to avoid nitpicking about that (rare) case. There's always a nitpicker :(
â Gilles
May 8 at 22:23
add a comment |Â
There might be files which have the executable bit set just for root, not for others. This might be fall unter "need root to execute". (Just nitpicking.)
â Paà Âlo Ebermann
May 8 at 21:45
@Paà ÂloEbermann I wrote âÂÂany user can attempt to run any commandâ to avoid nitpicking about that (rare) case. There's always a nitpicker :(
â Gilles
May 8 at 22:23
There might be files which have the executable bit set just for root, not for others. This might be fall unter "need root to execute". (Just nitpicking.)
â Paà Âlo Ebermann
May 8 at 21:45
There might be files which have the executable bit set just for root, not for others. This might be fall unter "need root to execute". (Just nitpicking.)
â Paà Âlo Ebermann
May 8 at 21:45
@Paà ÂloEbermann I wrote âÂÂany user can attempt to run any commandâ to avoid nitpicking about that (rare) case. There's always a nitpicker :(
â Gilles
May 8 at 22:23
@Paà ÂloEbermann I wrote âÂÂany user can attempt to run any commandâ to avoid nitpicking about that (rare) case. There's always a nitpicker :(
â Gilles
May 8 at 22:23
add a comment |Â
up vote
45
down vote
sudo
doesnâÂÂt know whether the command itâÂÂs asked to run needs to run as some other user (typically root), all it knows is its configuration. That determines which users are allowed to run sudo
, with what users as âÂÂtargetsâÂÂ, and for what commands; it also determines whether a password is needed, which one, and whether to keep an authentication token around.
If youâÂÂre using the default Debian configuration, the latter is most likely whatâÂÂs involved here: sudo
will ask you for your password the first time you use it in any given terminal, then it will keep an authentication token for a certain amount of time. If you re-use sudo
in the same terminal within that timeframe, it wonâÂÂt prompt you for a password.
Thanks. Do you meansudo du /path/to/some/dir
should either always need my password, or never, regardless of/path/to/some/dir
?
â Tim
May 8 at 14:52
12
Yes. It will always need your password (or not). Clearly, if it needs your password but has already stored it in the cache, it won't prompt you to enter it.
â dr01
May 8 at 14:55
5
Strictly speaking it could depend on the path, because/etc/sudoers
can specify commands and their arguments. However if you havenâÂÂt added anything like that tosudoers
(and if you have, I should hope youâÂÂd be aware of it), the arguments wonâÂÂt matter (nor will the command if you have general access to root viasudo
).
â Stephen Kitt
May 8 at 18:04
19
sudo
does not store your password in the cache, only the information that your identity has already been verified once with a password check. Sincesudo
is a setuid-root program, it already has all the permissions it needs to run anything as anyone - but it is trusted to only allow the users to use it exactly as specified in thesudoers
file, and to reject all other attempts to use it. That's why it is important thatsudo
is such a small and very well studied program.
â telcoM
May 8 at 20:10
add a comment |Â
up vote
45
down vote
sudo
doesnâÂÂt know whether the command itâÂÂs asked to run needs to run as some other user (typically root), all it knows is its configuration. That determines which users are allowed to run sudo
, with what users as âÂÂtargetsâÂÂ, and for what commands; it also determines whether a password is needed, which one, and whether to keep an authentication token around.
If youâÂÂre using the default Debian configuration, the latter is most likely whatâÂÂs involved here: sudo
will ask you for your password the first time you use it in any given terminal, then it will keep an authentication token for a certain amount of time. If you re-use sudo
in the same terminal within that timeframe, it wonâÂÂt prompt you for a password.
Thanks. Do you meansudo du /path/to/some/dir
should either always need my password, or never, regardless of/path/to/some/dir
?
â Tim
May 8 at 14:52
12
Yes. It will always need your password (or not). Clearly, if it needs your password but has already stored it in the cache, it won't prompt you to enter it.
â dr01
May 8 at 14:55
5
Strictly speaking it could depend on the path, because/etc/sudoers
can specify commands and their arguments. However if you havenâÂÂt added anything like that tosudoers
(and if you have, I should hope youâÂÂd be aware of it), the arguments wonâÂÂt matter (nor will the command if you have general access to root viasudo
).
â Stephen Kitt
May 8 at 18:04
19
sudo
does not store your password in the cache, only the information that your identity has already been verified once with a password check. Sincesudo
is a setuid-root program, it already has all the permissions it needs to run anything as anyone - but it is trusted to only allow the users to use it exactly as specified in thesudoers
file, and to reject all other attempts to use it. That's why it is important thatsudo
is such a small and very well studied program.
â telcoM
May 8 at 20:10
add a comment |Â
up vote
45
down vote
up vote
45
down vote
sudo
doesnâÂÂt know whether the command itâÂÂs asked to run needs to run as some other user (typically root), all it knows is its configuration. That determines which users are allowed to run sudo
, with what users as âÂÂtargetsâÂÂ, and for what commands; it also determines whether a password is needed, which one, and whether to keep an authentication token around.
If youâÂÂre using the default Debian configuration, the latter is most likely whatâÂÂs involved here: sudo
will ask you for your password the first time you use it in any given terminal, then it will keep an authentication token for a certain amount of time. If you re-use sudo
in the same terminal within that timeframe, it wonâÂÂt prompt you for a password.
sudo
doesnâÂÂt know whether the command itâÂÂs asked to run needs to run as some other user (typically root), all it knows is its configuration. That determines which users are allowed to run sudo
, with what users as âÂÂtargetsâÂÂ, and for what commands; it also determines whether a password is needed, which one, and whether to keep an authentication token around.
If youâÂÂre using the default Debian configuration, the latter is most likely whatâÂÂs involved here: sudo
will ask you for your password the first time you use it in any given terminal, then it will keep an authentication token for a certain amount of time. If you re-use sudo
in the same terminal within that timeframe, it wonâÂÂt prompt you for a password.
edited May 8 at 20:39
answered May 8 at 14:39
Stephen Kitt
140k22302363
140k22302363
Thanks. Do you meansudo du /path/to/some/dir
should either always need my password, or never, regardless of/path/to/some/dir
?
â Tim
May 8 at 14:52
12
Yes. It will always need your password (or not). Clearly, if it needs your password but has already stored it in the cache, it won't prompt you to enter it.
â dr01
May 8 at 14:55
5
Strictly speaking it could depend on the path, because/etc/sudoers
can specify commands and their arguments. However if you havenâÂÂt added anything like that tosudoers
(and if you have, I should hope youâÂÂd be aware of it), the arguments wonâÂÂt matter (nor will the command if you have general access to root viasudo
).
â Stephen Kitt
May 8 at 18:04
19
sudo
does not store your password in the cache, only the information that your identity has already been verified once with a password check. Sincesudo
is a setuid-root program, it already has all the permissions it needs to run anything as anyone - but it is trusted to only allow the users to use it exactly as specified in thesudoers
file, and to reject all other attempts to use it. That's why it is important thatsudo
is such a small and very well studied program.
â telcoM
May 8 at 20:10
add a comment |Â
Thanks. Do you meansudo du /path/to/some/dir
should either always need my password, or never, regardless of/path/to/some/dir
?
â Tim
May 8 at 14:52
12
Yes. It will always need your password (or not). Clearly, if it needs your password but has already stored it in the cache, it won't prompt you to enter it.
â dr01
May 8 at 14:55
5
Strictly speaking it could depend on the path, because/etc/sudoers
can specify commands and their arguments. However if you havenâÂÂt added anything like that tosudoers
(and if you have, I should hope youâÂÂd be aware of it), the arguments wonâÂÂt matter (nor will the command if you have general access to root viasudo
).
â Stephen Kitt
May 8 at 18:04
19
sudo
does not store your password in the cache, only the information that your identity has already been verified once with a password check. Sincesudo
is a setuid-root program, it already has all the permissions it needs to run anything as anyone - but it is trusted to only allow the users to use it exactly as specified in thesudoers
file, and to reject all other attempts to use it. That's why it is important thatsudo
is such a small and very well studied program.
â telcoM
May 8 at 20:10
Thanks. Do you mean
sudo du /path/to/some/dir
should either always need my password, or never, regardless of /path/to/some/dir
?â Tim
May 8 at 14:52
Thanks. Do you mean
sudo du /path/to/some/dir
should either always need my password, or never, regardless of /path/to/some/dir
?â Tim
May 8 at 14:52
12
12
Yes. It will always need your password (or not). Clearly, if it needs your password but has already stored it in the cache, it won't prompt you to enter it.
â dr01
May 8 at 14:55
Yes. It will always need your password (or not). Clearly, if it needs your password but has already stored it in the cache, it won't prompt you to enter it.
â dr01
May 8 at 14:55
5
5
Strictly speaking it could depend on the path, because
/etc/sudoers
can specify commands and their arguments. However if you havenâÂÂt added anything like that to sudoers
(and if you have, I should hope youâÂÂd be aware of it), the arguments wonâÂÂt matter (nor will the command if you have general access to root via sudo
).â Stephen Kitt
May 8 at 18:04
Strictly speaking it could depend on the path, because
/etc/sudoers
can specify commands and their arguments. However if you havenâÂÂt added anything like that to sudoers
(and if you have, I should hope youâÂÂd be aware of it), the arguments wonâÂÂt matter (nor will the command if you have general access to root via sudo
).â Stephen Kitt
May 8 at 18:04
19
19
sudo
does not store your password in the cache, only the information that your identity has already been verified once with a password check. Since sudo
is a setuid-root program, it already has all the permissions it needs to run anything as anyone - but it is trusted to only allow the users to use it exactly as specified in the sudoers
file, and to reject all other attempts to use it. That's why it is important that sudo
is such a small and very well studied program.â telcoM
May 8 at 20:10
sudo
does not store your password in the cache, only the information that your identity has already been verified once with a password check. Since sudo
is a setuid-root program, it already has all the permissions it needs to run anything as anyone - but it is trusted to only allow the users to use it exactly as specified in the sudoers
file, and to reject all other attempts to use it. That's why it is important that sudo
is such a small and very well studied program.â telcoM
May 8 at 20:10
add a comment |Â
up vote
6
down vote
to a command which doesn't actually need sudo
It's not that a command needs or needs not sudo. When you run
sudo -u user command
the system executes command
as the user
.
Whether the invocation is successful or not, and whether a password is asked or not, depends on the security policy sudoers
(usually configured in /etc/sudoers
).
add a comment |Â
up vote
6
down vote
to a command which doesn't actually need sudo
It's not that a command needs or needs not sudo. When you run
sudo -u user command
the system executes command
as the user
.
Whether the invocation is successful or not, and whether a password is asked or not, depends on the security policy sudoers
(usually configured in /etc/sudoers
).
add a comment |Â
up vote
6
down vote
up vote
6
down vote
to a command which doesn't actually need sudo
It's not that a command needs or needs not sudo. When you run
sudo -u user command
the system executes command
as the user
.
Whether the invocation is successful or not, and whether a password is asked or not, depends on the security policy sudoers
(usually configured in /etc/sudoers
).
to a command which doesn't actually need sudo
It's not that a command needs or needs not sudo. When you run
sudo -u user command
the system executes command
as the user
.
Whether the invocation is successful or not, and whether a password is asked or not, depends on the security policy sudoers
(usually configured in /etc/sudoers
).
answered May 8 at 14:38
dr01
15.2k114768
15.2k114768
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f442552%2fhow-does-sudo-decide-whether-to-ask-for-a-password-when-given-a-command-which-d%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
15
Deciding whether a program would attempt to do something that only root can do, or access a file that the invoking user is forbidden to access, without actually running the program, is the Halting Problem in disguise. So you can be sure that's not what sudo is doing.
â zwol
May 9 at 4:39
2
+1 because although the question is based on a misconception, the symptoms are clearly explained, and it has one unambiguous answer.
â dcorking
May 9 at 13:34