How does sudo decide whether to ask for a password, when given a command which doesn't actually need `sudo`?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
10
down vote

favorite
2












When applying sudo to a command which doesn't actually need sudo,



  • sometimes it doesn't ask me for my password. For example under my $HOME, sudo ls.


  • But I remember that it does for some other command, though I forget which one.


So I was wondering how sudo decides whether to ask for a password, when given a command which doesn't actually need sudo? Is there some rule in /etc/sudoers specifying that?



My real problem is that when I use du, it sometimes shows "permission denied" for some directories, and sometimes not, probably because I don't have permission on some directories? I apply sudo to du regardless, and thought I would be asked for a password regardless, but actually not on my own directories.







share|improve this question

















  • 15




    Deciding whether a program would attempt to do something that only root can do, or access a file that the invoking user is forbidden to access, without actually running the program, is the Halting Problem in disguise. So you can be sure that's not what sudo is doing.
    – zwol
    May 9 at 4:39






  • 2




    +1 because although the question is based on a misconception, the symptoms are clearly explained, and it has one unambiguous answer.
    – dcorking
    May 9 at 13:34














up vote
10
down vote

favorite
2












When applying sudo to a command which doesn't actually need sudo,



  • sometimes it doesn't ask me for my password. For example under my $HOME, sudo ls.


  • But I remember that it does for some other command, though I forget which one.


So I was wondering how sudo decides whether to ask for a password, when given a command which doesn't actually need sudo? Is there some rule in /etc/sudoers specifying that?



My real problem is that when I use du, it sometimes shows "permission denied" for some directories, and sometimes not, probably because I don't have permission on some directories? I apply sudo to du regardless, and thought I would be asked for a password regardless, but actually not on my own directories.







share|improve this question

















  • 15




    Deciding whether a program would attempt to do something that only root can do, or access a file that the invoking user is forbidden to access, without actually running the program, is the Halting Problem in disguise. So you can be sure that's not what sudo is doing.
    – zwol
    May 9 at 4:39






  • 2




    +1 because although the question is based on a misconception, the symptoms are clearly explained, and it has one unambiguous answer.
    – dcorking
    May 9 at 13:34












up vote
10
down vote

favorite
2









up vote
10
down vote

favorite
2






2





When applying sudo to a command which doesn't actually need sudo,



  • sometimes it doesn't ask me for my password. For example under my $HOME, sudo ls.


  • But I remember that it does for some other command, though I forget which one.


So I was wondering how sudo decides whether to ask for a password, when given a command which doesn't actually need sudo? Is there some rule in /etc/sudoers specifying that?



My real problem is that when I use du, it sometimes shows "permission denied" for some directories, and sometimes not, probably because I don't have permission on some directories? I apply sudo to du regardless, and thought I would be asked for a password regardless, but actually not on my own directories.







share|improve this question













When applying sudo to a command which doesn't actually need sudo,



  • sometimes it doesn't ask me for my password. For example under my $HOME, sudo ls.


  • But I remember that it does for some other command, though I forget which one.


So I was wondering how sudo decides whether to ask for a password, when given a command which doesn't actually need sudo? Is there some rule in /etc/sudoers specifying that?



My real problem is that when I use du, it sometimes shows "permission denied" for some directories, and sometimes not, probably because I don't have permission on some directories? I apply sudo to du regardless, and thought I would be asked for a password regardless, but actually not on my own directories.









share|improve this question












share|improve this question




share|improve this question








edited May 9 at 10:55









psmears

43528




43528









asked May 8 at 14:09









Tim

22.6k63222401




22.6k63222401







  • 15




    Deciding whether a program would attempt to do something that only root can do, or access a file that the invoking user is forbidden to access, without actually running the program, is the Halting Problem in disguise. So you can be sure that's not what sudo is doing.
    – zwol
    May 9 at 4:39






  • 2




    +1 because although the question is based on a misconception, the symptoms are clearly explained, and it has one unambiguous answer.
    – dcorking
    May 9 at 13:34












  • 15




    Deciding whether a program would attempt to do something that only root can do, or access a file that the invoking user is forbidden to access, without actually running the program, is the Halting Problem in disguise. So you can be sure that's not what sudo is doing.
    – zwol
    May 9 at 4:39






  • 2




    +1 because although the question is based on a misconception, the symptoms are clearly explained, and it has one unambiguous answer.
    – dcorking
    May 9 at 13:34







15




15




Deciding whether a program would attempt to do something that only root can do, or access a file that the invoking user is forbidden to access, without actually running the program, is the Halting Problem in disguise. So you can be sure that's not what sudo is doing.
– zwol
May 9 at 4:39




Deciding whether a program would attempt to do something that only root can do, or access a file that the invoking user is forbidden to access, without actually running the program, is the Halting Problem in disguise. So you can be sure that's not what sudo is doing.
– zwol
May 9 at 4:39




2




2




+1 because although the question is based on a misconception, the symptoms are clearly explained, and it has one unambiguous answer.
– dcorking
May 9 at 13:34




+1 because although the question is based on a misconception, the symptoms are clearly explained, and it has one unambiguous answer.
– dcorking
May 9 at 13:34










3 Answers
3






active

oldest

votes

















up vote
21
down vote



accepted










In a typical configuration, the command is irrelevant. You need to enter your password the first time you use sudo, and you don't need your password in that particular shell for the next 15 minutes.



From the computer's perspective, there is no such thing as a “command that needs sudo”. Any user can attempt to run any command. The outcome may be nothing but an error message such as “Permission denied” or “No such file or directory”, but it's always possible to run the command.



For example, if you run du on a directory tree that has contents that you don't have permission to access, you'll get permission errors. That's what “permission denied” means. If you run sudo du, sudo runs du as root, so you don't get permission errors (that's the point of the root account: root¹ always has permission). When you run sudo du, du runs as root, and sudo is not involved at all after du has started. Whether du encounters permission errors is completely irrelevant to how sudo operates.



There are commands that need sudo to do something useful. Usefulness is a human concept. You need to use sudo (or some other methods to run the command as root) if the command does something useful when run as root but not when run under your account.



Whether sudo asks for your password depends on two things.



  1. Based on the configuration, sudo decides whether you need to be authenticated. By default, sudo requires a password. This can be turned off in several ways, including setting the authenticate option to false and having an applicable rule with the NOPASSWD tag.

  2. If sudo requires your password, it may be content to use a cached value. That's ok because the reason sudo needs your password is not to authenticate who's calling it (sudo knows what user invoked it), but to confirm that it's still you at the commands and not somebody who took control over your keyboard. By default, sudo is willing to believe that you're still at the commands if you entered your password less than 15 minutes ago (this can be changed with the timeout option). You need to have entered the password in the same terminal (so that if you remain logged in on one terminal then leave that terminal unattended and then use another terminal, someone can't take advantage of this to use sudo on the other terminal — but this is a very weak advantage and it can be turned off by setting the tty_tickets option to false).

¹ nearly, but that's beyond the scope of this thread.






share|improve this answer























  • There might be files which have the executable bit set just for root, not for others. This might be fall unter "need root to execute". (Just nitpicking.)
    – PaÅ­lo Ebermann
    May 8 at 21:45










  • @PaÅ­loEbermann I wrote “any user can attempt to run any command” to avoid nitpicking about that (rare) case. There's always a nitpicker :(
    – Gilles
    May 8 at 22:23

















up vote
45
down vote













sudo doesn’t know whether the command it’s asked to run needs to run as some other user (typically root), all it knows is its configuration. That determines which users are allowed to run sudo, with what users as “targets”, and for what commands; it also determines whether a password is needed, which one, and whether to keep an authentication token around.



If you’re using the default Debian configuration, the latter is most likely what’s involved here: sudo will ask you for your password the first time you use it in any given terminal, then it will keep an authentication token for a certain amount of time. If you re-use sudo in the same terminal within that timeframe, it won’t prompt you for a password.






share|improve this answer























  • Thanks. Do you mean sudo du /path/to/some/dir should either always need my password, or never, regardless of /path/to/some/dir?
    – Tim
    May 8 at 14:52







  • 12




    Yes. It will always need your password (or not). Clearly, if it needs your password but has already stored it in the cache, it won't prompt you to enter it.
    – dr01
    May 8 at 14:55







  • 5




    Strictly speaking it could depend on the path, because /etc/sudoers can specify commands and their arguments. However if you haven’t added anything like that to sudoers (and if you have, I should hope you’d be aware of it), the arguments won’t matter (nor will the command if you have general access to root via sudo).
    – Stephen Kitt
    May 8 at 18:04






  • 19




    sudo does not store your password in the cache, only the information that your identity has already been verified once with a password check. Since sudo is a setuid-root program, it already has all the permissions it needs to run anything as anyone - but it is trusted to only allow the users to use it exactly as specified in the sudoers file, and to reject all other attempts to use it. That's why it is important that sudo is such a small and very well studied program.
    – telcoM
    May 8 at 20:10


















up vote
6
down vote














to a command which doesn't actually need sudo




It's not that a command needs or needs not sudo. When you run



sudo -u user command


the system executes command as the user.



Whether the invocation is successful or not, and whether a password is asked or not, depends on the security policy sudoers (usually configured in /etc/sudoers).






share|improve this answer





















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );








     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f442552%2fhow-does-sudo-decide-whether-to-ask-for-a-password-when-given-a-command-which-d%23new-answer', 'question_page');

    );

    Post as a guest






























    3 Answers
    3






    active

    oldest

    votes








    3 Answers
    3






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    21
    down vote



    accepted










    In a typical configuration, the command is irrelevant. You need to enter your password the first time you use sudo, and you don't need your password in that particular shell for the next 15 minutes.



    From the computer's perspective, there is no such thing as a “command that needs sudo”. Any user can attempt to run any command. The outcome may be nothing but an error message such as “Permission denied” or “No such file or directory”, but it's always possible to run the command.



    For example, if you run du on a directory tree that has contents that you don't have permission to access, you'll get permission errors. That's what “permission denied” means. If you run sudo du, sudo runs du as root, so you don't get permission errors (that's the point of the root account: root¹ always has permission). When you run sudo du, du runs as root, and sudo is not involved at all after du has started. Whether du encounters permission errors is completely irrelevant to how sudo operates.



    There are commands that need sudo to do something useful. Usefulness is a human concept. You need to use sudo (or some other methods to run the command as root) if the command does something useful when run as root but not when run under your account.



    Whether sudo asks for your password depends on two things.



    1. Based on the configuration, sudo decides whether you need to be authenticated. By default, sudo requires a password. This can be turned off in several ways, including setting the authenticate option to false and having an applicable rule with the NOPASSWD tag.

    2. If sudo requires your password, it may be content to use a cached value. That's ok because the reason sudo needs your password is not to authenticate who's calling it (sudo knows what user invoked it), but to confirm that it's still you at the commands and not somebody who took control over your keyboard. By default, sudo is willing to believe that you're still at the commands if you entered your password less than 15 minutes ago (this can be changed with the timeout option). You need to have entered the password in the same terminal (so that if you remain logged in on one terminal then leave that terminal unattended and then use another terminal, someone can't take advantage of this to use sudo on the other terminal — but this is a very weak advantage and it can be turned off by setting the tty_tickets option to false).

    ¹ nearly, but that's beyond the scope of this thread.






    share|improve this answer























    • There might be files which have the executable bit set just for root, not for others. This might be fall unter "need root to execute". (Just nitpicking.)
      – PaÅ­lo Ebermann
      May 8 at 21:45










    • @PaÅ­loEbermann I wrote “any user can attempt to run any command” to avoid nitpicking about that (rare) case. There's always a nitpicker :(
      – Gilles
      May 8 at 22:23














    up vote
    21
    down vote



    accepted










    In a typical configuration, the command is irrelevant. You need to enter your password the first time you use sudo, and you don't need your password in that particular shell for the next 15 minutes.



    From the computer's perspective, there is no such thing as a “command that needs sudo”. Any user can attempt to run any command. The outcome may be nothing but an error message such as “Permission denied” or “No such file or directory”, but it's always possible to run the command.



    For example, if you run du on a directory tree that has contents that you don't have permission to access, you'll get permission errors. That's what “permission denied” means. If you run sudo du, sudo runs du as root, so you don't get permission errors (that's the point of the root account: root¹ always has permission). When you run sudo du, du runs as root, and sudo is not involved at all after du has started. Whether du encounters permission errors is completely irrelevant to how sudo operates.



    There are commands that need sudo to do something useful. Usefulness is a human concept. You need to use sudo (or some other methods to run the command as root) if the command does something useful when run as root but not when run under your account.



    Whether sudo asks for your password depends on two things.



    1. Based on the configuration, sudo decides whether you need to be authenticated. By default, sudo requires a password. This can be turned off in several ways, including setting the authenticate option to false and having an applicable rule with the NOPASSWD tag.

    2. If sudo requires your password, it may be content to use a cached value. That's ok because the reason sudo needs your password is not to authenticate who's calling it (sudo knows what user invoked it), but to confirm that it's still you at the commands and not somebody who took control over your keyboard. By default, sudo is willing to believe that you're still at the commands if you entered your password less than 15 minutes ago (this can be changed with the timeout option). You need to have entered the password in the same terminal (so that if you remain logged in on one terminal then leave that terminal unattended and then use another terminal, someone can't take advantage of this to use sudo on the other terminal — but this is a very weak advantage and it can be turned off by setting the tty_tickets option to false).

    ¹ nearly, but that's beyond the scope of this thread.






    share|improve this answer























    • There might be files which have the executable bit set just for root, not for others. This might be fall unter "need root to execute". (Just nitpicking.)
      – PaÅ­lo Ebermann
      May 8 at 21:45










    • @PaÅ­loEbermann I wrote “any user can attempt to run any command” to avoid nitpicking about that (rare) case. There's always a nitpicker :(
      – Gilles
      May 8 at 22:23












    up vote
    21
    down vote



    accepted







    up vote
    21
    down vote



    accepted






    In a typical configuration, the command is irrelevant. You need to enter your password the first time you use sudo, and you don't need your password in that particular shell for the next 15 minutes.



    From the computer's perspective, there is no such thing as a “command that needs sudo”. Any user can attempt to run any command. The outcome may be nothing but an error message such as “Permission denied” or “No such file or directory”, but it's always possible to run the command.



    For example, if you run du on a directory tree that has contents that you don't have permission to access, you'll get permission errors. That's what “permission denied” means. If you run sudo du, sudo runs du as root, so you don't get permission errors (that's the point of the root account: root¹ always has permission). When you run sudo du, du runs as root, and sudo is not involved at all after du has started. Whether du encounters permission errors is completely irrelevant to how sudo operates.



    There are commands that need sudo to do something useful. Usefulness is a human concept. You need to use sudo (or some other methods to run the command as root) if the command does something useful when run as root but not when run under your account.



    Whether sudo asks for your password depends on two things.



    1. Based on the configuration, sudo decides whether you need to be authenticated. By default, sudo requires a password. This can be turned off in several ways, including setting the authenticate option to false and having an applicable rule with the NOPASSWD tag.

    2. If sudo requires your password, it may be content to use a cached value. That's ok because the reason sudo needs your password is not to authenticate who's calling it (sudo knows what user invoked it), but to confirm that it's still you at the commands and not somebody who took control over your keyboard. By default, sudo is willing to believe that you're still at the commands if you entered your password less than 15 minutes ago (this can be changed with the timeout option). You need to have entered the password in the same terminal (so that if you remain logged in on one terminal then leave that terminal unattended and then use another terminal, someone can't take advantage of this to use sudo on the other terminal — but this is a very weak advantage and it can be turned off by setting the tty_tickets option to false).

    ¹ nearly, but that's beyond the scope of this thread.






    share|improve this answer















    In a typical configuration, the command is irrelevant. You need to enter your password the first time you use sudo, and you don't need your password in that particular shell for the next 15 minutes.



    From the computer's perspective, there is no such thing as a “command that needs sudo”. Any user can attempt to run any command. The outcome may be nothing but an error message such as “Permission denied” or “No such file or directory”, but it's always possible to run the command.



    For example, if you run du on a directory tree that has contents that you don't have permission to access, you'll get permission errors. That's what “permission denied” means. If you run sudo du, sudo runs du as root, so you don't get permission errors (that's the point of the root account: root¹ always has permission). When you run sudo du, du runs as root, and sudo is not involved at all after du has started. Whether du encounters permission errors is completely irrelevant to how sudo operates.



    There are commands that need sudo to do something useful. Usefulness is a human concept. You need to use sudo (or some other methods to run the command as root) if the command does something useful when run as root but not when run under your account.



    Whether sudo asks for your password depends on two things.



    1. Based on the configuration, sudo decides whether you need to be authenticated. By default, sudo requires a password. This can be turned off in several ways, including setting the authenticate option to false and having an applicable rule with the NOPASSWD tag.

    2. If sudo requires your password, it may be content to use a cached value. That's ok because the reason sudo needs your password is not to authenticate who's calling it (sudo knows what user invoked it), but to confirm that it's still you at the commands and not somebody who took control over your keyboard. By default, sudo is willing to believe that you're still at the commands if you entered your password less than 15 minutes ago (this can be changed with the timeout option). You need to have entered the password in the same terminal (so that if you remain logged in on one terminal then leave that terminal unattended and then use another terminal, someone can't take advantage of this to use sudo on the other terminal — but this is a very weak advantage and it can be turned off by setting the tty_tickets option to false).

    ¹ nearly, but that's beyond the scope of this thread.







    share|improve this answer















    share|improve this answer



    share|improve this answer








    edited May 8 at 20:47









    Shadur

    18.4k64154




    18.4k64154











    answered May 8 at 19:36









    Gilles

    503k1189951522




    503k1189951522











    • There might be files which have the executable bit set just for root, not for others. This might be fall unter "need root to execute". (Just nitpicking.)
      – PaÅ­lo Ebermann
      May 8 at 21:45










    • @PaÅ­loEbermann I wrote “any user can attempt to run any command” to avoid nitpicking about that (rare) case. There's always a nitpicker :(
      – Gilles
      May 8 at 22:23
















    • There might be files which have the executable bit set just for root, not for others. This might be fall unter "need root to execute". (Just nitpicking.)
      – PaÅ­lo Ebermann
      May 8 at 21:45










    • @PaÅ­loEbermann I wrote “any user can attempt to run any command” to avoid nitpicking about that (rare) case. There's always a nitpicker :(
      – Gilles
      May 8 at 22:23















    There might be files which have the executable bit set just for root, not for others. This might be fall unter "need root to execute". (Just nitpicking.)
    – PaÅ­lo Ebermann
    May 8 at 21:45




    There might be files which have the executable bit set just for root, not for others. This might be fall unter "need root to execute". (Just nitpicking.)
    – PaÅ­lo Ebermann
    May 8 at 21:45












    @PaŭloEbermann I wrote “any user can attempt to run any command” to avoid nitpicking about that (rare) case. There's always a nitpicker :(
    – Gilles
    May 8 at 22:23




    @PaŭloEbermann I wrote “any user can attempt to run any command” to avoid nitpicking about that (rare) case. There's always a nitpicker :(
    – Gilles
    May 8 at 22:23












    up vote
    45
    down vote













    sudo doesn’t know whether the command it’s asked to run needs to run as some other user (typically root), all it knows is its configuration. That determines which users are allowed to run sudo, with what users as “targets”, and for what commands; it also determines whether a password is needed, which one, and whether to keep an authentication token around.



    If you’re using the default Debian configuration, the latter is most likely what’s involved here: sudo will ask you for your password the first time you use it in any given terminal, then it will keep an authentication token for a certain amount of time. If you re-use sudo in the same terminal within that timeframe, it won’t prompt you for a password.






    share|improve this answer























    • Thanks. Do you mean sudo du /path/to/some/dir should either always need my password, or never, regardless of /path/to/some/dir?
      – Tim
      May 8 at 14:52







    • 12




      Yes. It will always need your password (or not). Clearly, if it needs your password but has already stored it in the cache, it won't prompt you to enter it.
      – dr01
      May 8 at 14:55







    • 5




      Strictly speaking it could depend on the path, because /etc/sudoers can specify commands and their arguments. However if you haven’t added anything like that to sudoers (and if you have, I should hope you’d be aware of it), the arguments won’t matter (nor will the command if you have general access to root via sudo).
      – Stephen Kitt
      May 8 at 18:04






    • 19




      sudo does not store your password in the cache, only the information that your identity has already been verified once with a password check. Since sudo is a setuid-root program, it already has all the permissions it needs to run anything as anyone - but it is trusted to only allow the users to use it exactly as specified in the sudoers file, and to reject all other attempts to use it. That's why it is important that sudo is such a small and very well studied program.
      – telcoM
      May 8 at 20:10















    up vote
    45
    down vote













    sudo doesn’t know whether the command it’s asked to run needs to run as some other user (typically root), all it knows is its configuration. That determines which users are allowed to run sudo, with what users as “targets”, and for what commands; it also determines whether a password is needed, which one, and whether to keep an authentication token around.



    If you’re using the default Debian configuration, the latter is most likely what’s involved here: sudo will ask you for your password the first time you use it in any given terminal, then it will keep an authentication token for a certain amount of time. If you re-use sudo in the same terminal within that timeframe, it won’t prompt you for a password.






    share|improve this answer























    • Thanks. Do you mean sudo du /path/to/some/dir should either always need my password, or never, regardless of /path/to/some/dir?
      – Tim
      May 8 at 14:52







    • 12




      Yes. It will always need your password (or not). Clearly, if it needs your password but has already stored it in the cache, it won't prompt you to enter it.
      – dr01
      May 8 at 14:55







    • 5




      Strictly speaking it could depend on the path, because /etc/sudoers can specify commands and their arguments. However if you haven’t added anything like that to sudoers (and if you have, I should hope you’d be aware of it), the arguments won’t matter (nor will the command if you have general access to root via sudo).
      – Stephen Kitt
      May 8 at 18:04






    • 19




      sudo does not store your password in the cache, only the information that your identity has already been verified once with a password check. Since sudo is a setuid-root program, it already has all the permissions it needs to run anything as anyone - but it is trusted to only allow the users to use it exactly as specified in the sudoers file, and to reject all other attempts to use it. That's why it is important that sudo is such a small and very well studied program.
      – telcoM
      May 8 at 20:10













    up vote
    45
    down vote










    up vote
    45
    down vote









    sudo doesn’t know whether the command it’s asked to run needs to run as some other user (typically root), all it knows is its configuration. That determines which users are allowed to run sudo, with what users as “targets”, and for what commands; it also determines whether a password is needed, which one, and whether to keep an authentication token around.



    If you’re using the default Debian configuration, the latter is most likely what’s involved here: sudo will ask you for your password the first time you use it in any given terminal, then it will keep an authentication token for a certain amount of time. If you re-use sudo in the same terminal within that timeframe, it won’t prompt you for a password.






    share|improve this answer















    sudo doesn’t know whether the command it’s asked to run needs to run as some other user (typically root), all it knows is its configuration. That determines which users are allowed to run sudo, with what users as “targets”, and for what commands; it also determines whether a password is needed, which one, and whether to keep an authentication token around.



    If you’re using the default Debian configuration, the latter is most likely what’s involved here: sudo will ask you for your password the first time you use it in any given terminal, then it will keep an authentication token for a certain amount of time. If you re-use sudo in the same terminal within that timeframe, it won’t prompt you for a password.







    share|improve this answer















    share|improve this answer



    share|improve this answer








    edited May 8 at 20:39


























    answered May 8 at 14:39









    Stephen Kitt

    140k22302363




    140k22302363











    • Thanks. Do you mean sudo du /path/to/some/dir should either always need my password, or never, regardless of /path/to/some/dir?
      – Tim
      May 8 at 14:52







    • 12




      Yes. It will always need your password (or not). Clearly, if it needs your password but has already stored it in the cache, it won't prompt you to enter it.
      – dr01
      May 8 at 14:55







    • 5




      Strictly speaking it could depend on the path, because /etc/sudoers can specify commands and their arguments. However if you haven’t added anything like that to sudoers (and if you have, I should hope you’d be aware of it), the arguments won’t matter (nor will the command if you have general access to root via sudo).
      – Stephen Kitt
      May 8 at 18:04






    • 19




      sudo does not store your password in the cache, only the information that your identity has already been verified once with a password check. Since sudo is a setuid-root program, it already has all the permissions it needs to run anything as anyone - but it is trusted to only allow the users to use it exactly as specified in the sudoers file, and to reject all other attempts to use it. That's why it is important that sudo is such a small and very well studied program.
      – telcoM
      May 8 at 20:10

















    • Thanks. Do you mean sudo du /path/to/some/dir should either always need my password, or never, regardless of /path/to/some/dir?
      – Tim
      May 8 at 14:52







    • 12




      Yes. It will always need your password (or not). Clearly, if it needs your password but has already stored it in the cache, it won't prompt you to enter it.
      – dr01
      May 8 at 14:55







    • 5




      Strictly speaking it could depend on the path, because /etc/sudoers can specify commands and their arguments. However if you haven’t added anything like that to sudoers (and if you have, I should hope you’d be aware of it), the arguments won’t matter (nor will the command if you have general access to root via sudo).
      – Stephen Kitt
      May 8 at 18:04






    • 19




      sudo does not store your password in the cache, only the information that your identity has already been verified once with a password check. Since sudo is a setuid-root program, it already has all the permissions it needs to run anything as anyone - but it is trusted to only allow the users to use it exactly as specified in the sudoers file, and to reject all other attempts to use it. That's why it is important that sudo is such a small and very well studied program.
      – telcoM
      May 8 at 20:10
















    Thanks. Do you mean sudo du /path/to/some/dir should either always need my password, or never, regardless of /path/to/some/dir?
    – Tim
    May 8 at 14:52





    Thanks. Do you mean sudo du /path/to/some/dir should either always need my password, or never, regardless of /path/to/some/dir?
    – Tim
    May 8 at 14:52





    12




    12




    Yes. It will always need your password (or not). Clearly, if it needs your password but has already stored it in the cache, it won't prompt you to enter it.
    – dr01
    May 8 at 14:55





    Yes. It will always need your password (or not). Clearly, if it needs your password but has already stored it in the cache, it won't prompt you to enter it.
    – dr01
    May 8 at 14:55





    5




    5




    Strictly speaking it could depend on the path, because /etc/sudoers can specify commands and their arguments. However if you haven’t added anything like that to sudoers (and if you have, I should hope you’d be aware of it), the arguments won’t matter (nor will the command if you have general access to root via sudo).
    – Stephen Kitt
    May 8 at 18:04




    Strictly speaking it could depend on the path, because /etc/sudoers can specify commands and their arguments. However if you haven’t added anything like that to sudoers (and if you have, I should hope you’d be aware of it), the arguments won’t matter (nor will the command if you have general access to root via sudo).
    – Stephen Kitt
    May 8 at 18:04




    19




    19




    sudo does not store your password in the cache, only the information that your identity has already been verified once with a password check. Since sudo is a setuid-root program, it already has all the permissions it needs to run anything as anyone - but it is trusted to only allow the users to use it exactly as specified in the sudoers file, and to reject all other attempts to use it. That's why it is important that sudo is such a small and very well studied program.
    – telcoM
    May 8 at 20:10





    sudo does not store your password in the cache, only the information that your identity has already been verified once with a password check. Since sudo is a setuid-root program, it already has all the permissions it needs to run anything as anyone - but it is trusted to only allow the users to use it exactly as specified in the sudoers file, and to reject all other attempts to use it. That's why it is important that sudo is such a small and very well studied program.
    – telcoM
    May 8 at 20:10











    up vote
    6
    down vote














    to a command which doesn't actually need sudo




    It's not that a command needs or needs not sudo. When you run



    sudo -u user command


    the system executes command as the user.



    Whether the invocation is successful or not, and whether a password is asked or not, depends on the security policy sudoers (usually configured in /etc/sudoers).






    share|improve this answer

























      up vote
      6
      down vote














      to a command which doesn't actually need sudo




      It's not that a command needs or needs not sudo. When you run



      sudo -u user command


      the system executes command as the user.



      Whether the invocation is successful or not, and whether a password is asked or not, depends on the security policy sudoers (usually configured in /etc/sudoers).






      share|improve this answer























        up vote
        6
        down vote










        up vote
        6
        down vote










        to a command which doesn't actually need sudo




        It's not that a command needs or needs not sudo. When you run



        sudo -u user command


        the system executes command as the user.



        Whether the invocation is successful or not, and whether a password is asked or not, depends on the security policy sudoers (usually configured in /etc/sudoers).






        share|improve this answer














        to a command which doesn't actually need sudo




        It's not that a command needs or needs not sudo. When you run



        sudo -u user command


        the system executes command as the user.



        Whether the invocation is successful or not, and whether a password is asked or not, depends on the security policy sudoers (usually configured in /etc/sudoers).







        share|improve this answer













        share|improve this answer



        share|improve this answer











        answered May 8 at 14:38









        dr01

        15.2k114768




        15.2k114768






















             

            draft saved


            draft discarded


























             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f442552%2fhow-does-sudo-decide-whether-to-ask-for-a-password-when-given-a-command-which-d%23new-answer', 'question_page');

            );

            Post as a guest













































































            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?