How does sudo decide whether to ask for a password, when given a command which doesn't actually need `sudo`?
Clash Royale CLAN TAG#URR8PPP
up vote
10
down vote
favorite
When applying sudo to a command which doesn't actually need sudo,
sometimes it doesn't ask me for my password. For example under my
$HOME,sudo ls.But I remember that it does for some other command, though I forget which one.
So I was wondering how sudo decides whether to ask for a password, when given a command which doesn't actually need sudo? Is there some rule in /etc/sudoers specifying that?
My real problem is that when I use du, it sometimes shows "permission denied" for some directories, and sometimes not, probably because I don't have permission on some directories? I apply sudo to du regardless, and thought I would be asked for a password regardless, but actually not on my own directories.
sudo password
edited May 9 at 10:55
psmears
43528
asked May 8 at 14:09
Tim
22.6k63222401
add a comment |Â
up vote
10
down vote
favorite
When applying sudo to a command which doesn't actually need sudo,
sometimes it doesn't ask me for my password. For example under my
$HOME,sudo ls.But I remember that it does for some other command, though I forget which one.
So I was wondering how sudo decides whether to ask for a password, when given a command which doesn't actually need sudo? Is there some rule in /etc/sudoers specifying that?
My real problem is that when I use du, it sometimes shows "permission denied" for some directories, and sometimes not, probably because I don't have permission on some directories? I apply sudo to du regardless, and thought I would be asked for a password regardless, but actually not on my own directories.
sudo password
edited May 9 at 10:55
psmears
43528
asked May 8 at 14:09
Tim
22.6k63222401
15
Deciding whether a program would attempt to do something that only root can do, or access a file that the invoking user is forbidden to access, without actually running the program, is the Halting Problem in disguise. So you can be sure that's not what sudo is doing.
– zwol
May 9 at 4:39
2
+1 because although the question is based on a misconception, the symptoms are clearly explained, and it has one unambiguous answer.
– dcorking
May 9 at 13:34
add a comment |Â
up vote
10
down vote
favorite
up vote
10
down vote
favorite
When applying sudo to a command which doesn't actually need sudo,
sometimes it doesn't ask me for my password. For example under my
$HOME,sudo ls.But I remember that it does for some other command, though I forget which one.
So I was wondering how sudo decides whether to ask for a password, when given a command which doesn't actually need sudo? Is there some rule in /etc/sudoers specifying that?
My real problem is that when I use du, it sometimes shows "permission denied" for some directories, and sometimes not, probably because I don't have permission on some directories? I apply sudo to du regardless, and thought I would be asked for a password regardless, but actually not on my own directories.
sudo password
edited May 9 at 10:55
psmears
43528
asked May 8 at 14:09
Tim
22.6k63222401
When applying sudo to a command which doesn't actually need sudo,
sometimes it doesn't ask me for my password. For example under my
$HOME,sudo ls.But I remember that it does for some other command, though I forget which one.
So I was wondering how sudo decides whether to ask for a password, when given a command which doesn't actually need sudo? Is there some rule in /etc/sudoers specifying that?
My real problem is that when I use du, it sometimes shows "permission denied" for some directories, and sometimes not, probably because I don't have permission on some directories? I apply sudo to du regardless, and thought I would be asked for a password regardless, but actually not on my own directories.
sudo password
edited May 9 at 10:55
psmears
43528
asked May 8 at 14:09
Tim
22.6k63222401
edited May 9 at 10:55
psmears
43528
edited May 9 at 10:55
psmears
43528
edited May 9 at 10:55
psmears
43528
43528
asked May 8 at 14:09
Tim
22.6k63222401
asked May 8 at 14:09
Tim
22.6k63222401
asked May 8 at 14:09
Tim
22.6k63222401
22.6k63222401
15
Deciding whether a program would attempt to do something that only root can do, or access a file that the invoking user is forbidden to access, without actually running the program, is the Halting Problem in disguise. So you can be sure that's not what sudo is doing.
– zwol
May 9 at 4:39
2
+1 because although the question is based on a misconception, the symptoms are clearly explained, and it has one unambiguous answer.
– dcorking
May 9 at 13:34
add a comment |Â
15
Deciding whether a program would attempt to do something that only root can do, or access a file that the invoking user is forbidden to access, without actually running the program, is the Halting Problem in disguise. So you can be sure that's not what sudo is doing.
– zwol
May 9 at 4:39
2
+1 because although the question is based on a misconception, the symptoms are clearly explained, and it has one unambiguous answer.
– dcorking
May 9 at 13:34
15
15
Deciding whether a program would attempt to do something that only root can do, or access a file that the invoking user is forbidden to access, without actually running the program, is the Halting Problem in disguise. So you can be sure that's not what sudo is doing.
– zwol
May 9 at 4:39
Deciding whether a program would attempt to do something that only root can do, or access a file that the invoking user is forbidden to access, without actually running the program, is the Halting Problem in disguise. So you can be sure that's not what sudo is doing.
– zwol
May 9 at 4:39
2
2
+1 because although the question is based on a misconception, the symptoms are clearly explained, and it has one unambiguous answer.
– dcorking
May 9 at 13:34
+1 because although the question is based on a misconception, the symptoms are clearly explained, and it has one unambiguous answer.
– dcorking
May 9 at 13:34
add a comment |Â
3 Answers
3
active
oldest
votes
up vote
21
down vote
accepted
In a typical configuration, the command is irrelevant. You need to enter your password the first time you use sudo, and you don't need your password in that particular shell for the next 15 minutes.
From the computer's perspective, there is no such thing as a “command that needs sudoâ€Â. Any user can attempt to run any command. The outcome may be nothing but an error message such as “Permission denied†or “No such file or directoryâ€Â, but it's always possible to run the command.
For example, if you run du on a directory tree that has contents that you don't have permission to access, you'll get permission errors. That's what “permission denied†means. If you run sudo du, sudo runs du as root, so you don't get permission errors (that's the point of the root account: root¹ always has permission). When you run sudo du, du runs as root, and sudo is not involved at all after du has started. Whether du encounters permission errors is completely irrelevant to how sudo operates.
There are commands that need sudo to do something useful. Usefulness is a human concept. You need to use sudo (or some other methods to run the command as root) if the command does something useful when run as root but not when run under your account.
Whether sudo asks for your password depends on two things.
- Based on the configuration, sudo decides whether you need to be authenticated. By default, sudo requires a password. This can be turned off in several ways, including setting the
authenticateoption to false and having an applicable rule with theNOPASSWDtag. - If sudo requires your password, it may be content to use a cached value. That's ok because the reason sudo needs your password is not to authenticate who's calling it (sudo knows what user invoked it), but to confirm that it's still you at the commands and not somebody who took control over your keyboard. By default, sudo is willing to believe that you're still at the commands if you entered your password less than 15 minutes ago (this can be changed with the
timeoutoption). You need to have entered the password in the same terminal (so that if you remain logged in on one terminal then leave that terminal unattended and then use another terminal, someone can't take advantage of this to use sudo on the other terminal — but this is a very weak advantage and it can be turned off by setting thetty_ticketsoption to false).
¹ nearly, but that's beyond the scope of this thread.
edited May 8 at 20:47
Shadur
18.4k64154
answered May 8 at 19:36
Gilles
503k1189951522
There might be files which have the executable bit set just for root, not for others. This might be fall unter "need root to execute". (Just nitpicking.)
– PaÃ…Âlo Ebermann
May 8 at 21:45
@PaÃ…ÂloEbermann I wrote “any user can attempt to run any command†to avoid nitpicking about that (rare) case. There's always a nitpicker :(
– Gilles
May 8 at 22:23
add a comment |Â
up vote
45
down vote
sudo doesn’t know whether the command it’s asked to run needs to run as some other user (typically root), all it knows is its configuration. That determines which users are allowed to run sudo, with what users as “targetsâ€Â, and for what commands; it also determines whether a password is needed, which one, and whether to keep an authentication token around.
If you’re using the default Debian configuration, the latter is most likely what’s involved here: sudo will ask you for your password the first time you use it in any given terminal, then it will keep an authentication token for a certain amount of time. If you re-use sudo in the same terminal within that timeframe, it won’t prompt you for a password.
answered May 8 at 14:39
Stephen Kitt
140k22302363
Thanks. Do you meansudo du /path/to/some/dirshould either always need my password, or never, regardless of/path/to/some/dir?
– Tim
May 8 at 14:52
12
Yes. It will always need your password (or not). Clearly, if it needs your password but has already stored it in the cache, it won't prompt you to enter it.
– dr01
May 8 at 14:55
5
Strictly speaking it could depend on the path, because/etc/sudoerscan specify commands and their arguments. However if you haven’t added anything like that tosudoers(and if you have, I should hope you’d be aware of it), the arguments won’t matter (nor will the command if you have general access to root viasudo).
– Stephen Kitt
May 8 at 18:04
19
sudodoes not store your password in the cache, only the information that your identity has already been verified once with a password check. Sincesudois a setuid-root program, it already has all the permissions it needs to run anything as anyone - but it is trusted to only allow the users to use it exactly as specified in thesudoersfile, and to reject all other attempts to use it. That's why it is important thatsudois such a small and very well studied program.
– telcoM
May 8 at 20:10
add a comment |Â
up vote
6
down vote
to a command which doesn't actually need sudo
It's not that a command needs or needs not sudo. When you run
sudo -u user command
the system executes command as the user.
Whether the invocation is successful or not, and whether a password is asked or not, depends on the security policy sudoers (usually configured in /etc/sudoers).
answered May 8 at 14:38
dr01
15.2k114768
add a comment |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
21
down vote
accepted
In a typical configuration, the command is irrelevant. You need to enter your password the first time you use sudo, and you don't need your password in that particular shell for the next 15 minutes.
From the computer's perspective, there is no such thing as a “command that needs sudoâ€Â. Any user can attempt to run any command. The outcome may be nothing but an error message such as “Permission denied†or “No such file or directoryâ€Â, but it's always possible to run the command.
For example, if you run du on a directory tree that has contents that you don't have permission to access, you'll get permission errors. That's what “permission denied†means. If you run sudo du, sudo runs du as root, so you don't get permission errors (that's the point of the root account: root¹ always has permission). When you run sudo du, du runs as root, and sudo is not involved at all after du has started. Whether du encounters permission errors is completely irrelevant to how sudo operates.
There are commands that need sudo to do something useful. Usefulness is a human concept. You need to use sudo (or some other methods to run the command as root) if the command does something useful when run as root but not when run under your account.
Whether sudo asks for your password depends on two things.
- Based on the configuration, sudo decides whether you need to be authenticated. By default, sudo requires a password. This can be turned off in several ways, including setting the
authenticateoption to false and having an applicable rule with theNOPASSWDtag. - If sudo requires your password, it may be content to use a cached value. That's ok because the reason sudo needs your password is not to authenticate who's calling it (sudo knows what user invoked it), but to confirm that it's still you at the commands and not somebody who took control over your keyboard. By default, sudo is willing to believe that you're still at the commands if you entered your password less than 15 minutes ago (this can be changed with the
timeoutoption). You need to have entered the password in the same terminal (so that if you remain logged in on one terminal then leave that terminal unattended and then use another terminal, someone can't take advantage of this to use sudo on the other terminal — but this is a very weak advantage and it can be turned off by setting thetty_ticketsoption to false).
¹ nearly, but that's beyond the scope of this thread.
edited May 8 at 20:47
Shadur
18.4k64154
answered May 8 at 19:36
Gilles
503k1189951522
There might be files which have the executable bit set just for root, not for others. This might be fall unter "need root to execute". (Just nitpicking.)
– PaÃ…Âlo Ebermann
May 8 at 21:45
@PaÃ…ÂloEbermann I wrote “any user can attempt to run any command†to avoid nitpicking about that (rare) case. There's always a nitpicker :(
– Gilles
May 8 at 22:23
add a comment |Â
up vote
21
down vote
accepted
In a typical configuration, the command is irrelevant. You need to enter your password the first time you use sudo, and you don't need your password in that particular shell for the next 15 minutes.
From the computer's perspective, there is no such thing as a “command that needs sudoâ€Â. Any user can attempt to run any command. The outcome may be nothing but an error message such as “Permission denied†or “No such file or directoryâ€Â, but it's always possible to run the command.
For example, if you run du on a directory tree that has contents that you don't have permission to access, you'll get permission errors. That's what “permission denied†means. If you run sudo du, sudo runs du as root, so you don't get permission errors (that's the point of the root account: root¹ always has permission). When you run sudo du, du runs as root, and sudo is not involved at all after du has started. Whether du encounters permission errors is completely irrelevant to how sudo operates.
There are commands that need sudo to do something useful. Usefulness is a human concept. You need to use sudo (or some other methods to run the command as root) if the command does something useful when run as root but not when run under your account.
Whether sudo asks for your password depends on two things.
- Based on the configuration, sudo decides whether you need to be authenticated. By default, sudo requires a password. This can be turned off in several ways, including setting the
authenticateoption to false and having an applicable rule with theNOPASSWDtag. - If sudo requires your password, it may be content to use a cached value. That's ok because the reason sudo needs your password is not to authenticate who's calling it (sudo knows what user invoked it), but to confirm that it's still you at the commands and not somebody who took control over your keyboard. By default, sudo is willing to believe that you're still at the commands if you entered your password less than 15 minutes ago (this can be changed with the
timeoutoption). You need to have entered the password in the same terminal (so that if you remain logged in on one terminal then leave that terminal unattended and then use another terminal, someone can't take advantage of this to use sudo on the other terminal — but this is a very weak advantage and it can be turned off by setting thetty_ticketsoption to false).
¹ nearly, but that's beyond the scope of this thread.
edited May 8 at 20:47
Shadur
18.4k64154
answered May 8 at 19:36
Gilles
503k1189951522
There might be files which have the executable bit set just for root, not for others. This might be fall unter "need root to execute". (Just nitpicking.)
– PaÃ…Âlo Ebermann
May 8 at 21:45
@PaÃ…ÂloEbermann I wrote “any user can attempt to run any command†to avoid nitpicking about that (rare) case. There's always a nitpicker :(
– Gilles
May 8 at 22:23
add a comment |Â
up vote
21
down vote
accepted
up vote
21
down vote
accepted
In a typical configuration, the command is irrelevant. You need to enter your password the first time you use sudo, and you don't need your password in that particular shell for the next 15 minutes.
From the computer's perspective, there is no such thing as a “command that needs sudoâ€Â. Any user can attempt to run any command. The outcome may be nothing but an error message such as “Permission denied†or “No such file or directoryâ€Â, but it's always possible to run the command.
For example, if you run du on a directory tree that has contents that you don't have permission to access, you'll get permission errors. That's what “permission denied†means. If you run sudo du, sudo runs du as root, so you don't get permission errors (that's the point of the root account: root¹ always has permission). When you run sudo du, du runs as root, and sudo is not involved at all after du has started. Whether du encounters permission errors is completely irrelevant to how sudo operates.
There are commands that need sudo to do something useful. Usefulness is a human concept. You need to use sudo (or some other methods to run the command as root) if the command does something useful when run as root but not when run under your account.
Whether sudo asks for your password depends on two things.
- Based on the configuration, sudo decides whether you need to be authenticated. By default, sudo requires a password. This can be turned off in several ways, including setting the
authenticateoption to false and having an applicable rule with theNOPASSWDtag. - If sudo requires your password, it may be content to use a cached value. That's ok because the reason sudo needs your password is not to authenticate who's calling it (sudo knows what user invoked it), but to confirm that it's still you at the commands and not somebody who took control over your keyboard. By default, sudo is willing to believe that you're still at the commands if you entered your password less than 15 minutes ago (this can be changed with the
timeoutoption). You need to have entered the password in the same terminal (so that if you remain logged in on one terminal then leave that terminal unattended and then use another terminal, someone can't take advantage of this to use sudo on the other terminal — but this is a very weak advantage and it can be turned off by setting thetty_ticketsoption to false).
¹ nearly, but that's beyond the scope of this thread.
edited May 8 at 20:47
Shadur
18.4k64154
answered May 8 at 19:36
Gilles
503k1189951522
In a typical configuration, the command is irrelevant. You need to enter your password the first time you use sudo, and you don't need your password in that particular shell for the next 15 minutes.
From the computer's perspective, there is no such thing as a “command that needs sudoâ€Â. Any user can attempt to run any command. The outcome may be nothing but an error message such as “Permission denied†or “No such file or directoryâ€Â, but it's always possible to run the command.
For example, if you run du on a directory tree that has contents that you don't have permission to access, you'll get permission errors. That's what “permission denied†means. If you run sudo du, sudo runs du as root, so you don't get permission errors (that's the point of the root account: root¹ always has permission). When you run sudo du, du runs as root, and sudo is not involved at all after du has started. Whether du encounters permission errors is completely irrelevant to how sudo operates.
There are commands that need sudo to do something useful. Usefulness is a human concept. You need to use sudo (or some other methods to run the command as root) if the command does something useful when run as root but not when run under your account.
Whether sudo asks for your password depends on two things.
- Based on the configuration, sudo decides whether you need to be authenticated. By default, sudo requires a password. This can be turned off in several ways, including setting the
authenticateoption to false and having an applicable rule with theNOPASSWDtag. - If sudo requires your password, it may be content to use a cached value. That's ok because the reason sudo needs your password is not to authenticate who's calling it (sudo knows what user invoked it), but to confirm that it's still you at the commands and not somebody who took control over your keyboard. By default, sudo is willing to believe that you're still at the commands if you entered your password less than 15 minutes ago (this can be changed with the
timeoutoption). You need to have entered the password in the same terminal (so that if you remain logged in on one terminal then leave that terminal unattended and then use another terminal, someone can't take advantage of this to use sudo on the other terminal — but this is a very weak advantage and it can be turned off by setting thetty_ticketsoption to false).
¹ nearly, but that's beyond the scope of this thread.
edited May 8 at 20:47
Shadur
18.4k64154
answered May 8 at 19:36
Gilles
503k1189951522
edited May 8 at 20:47
Shadur
18.4k64154
edited May 8 at 20:47
Shadur
18.4k64154
edited May 8 at 20:47
Shadur
18.4k64154
18.4k64154
answered May 8 at 19:36
Gilles
503k1189951522
answered May 8 at 19:36
Gilles
503k1189951522
answered May 8 at 19:36
Gilles
503k1189951522
503k1189951522
There might be files which have the executable bit set just for root, not for others. This might be fall unter "need root to execute". (Just nitpicking.)
– PaÃ…Âlo Ebermann
May 8 at 21:45
@PaÃ…ÂloEbermann I wrote “any user can attempt to run any command†to avoid nitpicking about that (rare) case. There's always a nitpicker :(
– Gilles
May 8 at 22:23
add a comment |Â
There might be files which have the executable bit set just for root, not for others. This might be fall unter "need root to execute". (Just nitpicking.)
– PaÃ…Âlo Ebermann
May 8 at 21:45
@PaÃ…ÂloEbermann I wrote “any user can attempt to run any command†to avoid nitpicking about that (rare) case. There's always a nitpicker :(
– Gilles
May 8 at 22:23
There might be files which have the executable bit set just for root, not for others. This might be fall unter "need root to execute". (Just nitpicking.)
– PaÃ…Âlo Ebermann
May 8 at 21:45
There might be files which have the executable bit set just for root, not for others. This might be fall unter "need root to execute". (Just nitpicking.)
– PaÃ…Âlo Ebermann
May 8 at 21:45
@PaÃ…ÂloEbermann I wrote “any user can attempt to run any command†to avoid nitpicking about that (rare) case. There's always a nitpicker :(
– Gilles
May 8 at 22:23
@PaÃ…ÂloEbermann I wrote “any user can attempt to run any command†to avoid nitpicking about that (rare) case. There's always a nitpicker :(
– Gilles
May 8 at 22:23
add a comment |Â
up vote
45
down vote
sudo doesn’t know whether the command it’s asked to run needs to run as some other user (typically root), all it knows is its configuration. That determines which users are allowed to run sudo, with what users as “targetsâ€Â, and for what commands; it also determines whether a password is needed, which one, and whether to keep an authentication token around.
If you’re using the default Debian configuration, the latter is most likely what’s involved here: sudo will ask you for your password the first time you use it in any given terminal, then it will keep an authentication token for a certain amount of time. If you re-use sudo in the same terminal within that timeframe, it won’t prompt you for a password.
answered May 8 at 14:39
Stephen Kitt
140k22302363
Thanks. Do you meansudo du /path/to/some/dirshould either always need my password, or never, regardless of/path/to/some/dir?
– Tim
May 8 at 14:52
12
Yes. It will always need your password (or not). Clearly, if it needs your password but has already stored it in the cache, it won't prompt you to enter it.
– dr01
May 8 at 14:55
5
Strictly speaking it could depend on the path, because/etc/sudoerscan specify commands and their arguments. However if you haven’t added anything like that tosudoers(and if you have, I should hope you’d be aware of it), the arguments won’t matter (nor will the command if you have general access to root viasudo).
– Stephen Kitt
May 8 at 18:04
19
sudodoes not store your password in the cache, only the information that your identity has already been verified once with a password check. Sincesudois a setuid-root program, it already has all the permissions it needs to run anything as anyone - but it is trusted to only allow the users to use it exactly as specified in thesudoersfile, and to reject all other attempts to use it. That's why it is important thatsudois such a small and very well studied program.
– telcoM
May 8 at 20:10
add a comment |Â
up vote
45
down vote
sudo doesn’t know whether the command it’s asked to run needs to run as some other user (typically root), all it knows is its configuration. That determines which users are allowed to run sudo, with what users as “targetsâ€Â, and for what commands; it also determines whether a password is needed, which one, and whether to keep an authentication token around.
If you’re using the default Debian configuration, the latter is most likely what’s involved here: sudo will ask you for your password the first time you use it in any given terminal, then it will keep an authentication token for a certain amount of time. If you re-use sudo in the same terminal within that timeframe, it won’t prompt you for a password.
answered May 8 at 14:39
Stephen Kitt
140k22302363
Thanks. Do you meansudo du /path/to/some/dirshould either always need my password, or never, regardless of/path/to/some/dir?
– Tim
May 8 at 14:52
12
Yes. It will always need your password (or not). Clearly, if it needs your password but has already stored it in the cache, it won't prompt you to enter it.
– dr01
May 8 at 14:55
5
Strictly speaking it could depend on the path, because/etc/sudoerscan specify commands and their arguments. However if you haven’t added anything like that tosudoers(and if you have, I should hope you’d be aware of it), the arguments won’t matter (nor will the command if you have general access to root viasudo).
– Stephen Kitt
May 8 at 18:04
19
sudodoes not store your password in the cache, only the information that your identity has already been verified once with a password check. Sincesudois a setuid-root program, it already has all the permissions it needs to run anything as anyone - but it is trusted to only allow the users to use it exactly as specified in thesudoersfile, and to reject all other attempts to use it. That's why it is important thatsudois such a small and very well studied program.
– telcoM
May 8 at 20:10
add a comment |Â
up vote
45
down vote
up vote
45
down vote
sudo doesn’t know whether the command it’s asked to run needs to run as some other user (typically root), all it knows is its configuration. That determines which users are allowed to run sudo, with what users as “targetsâ€Â, and for what commands; it also determines whether a password is needed, which one, and whether to keep an authentication token around.
If you’re using the default Debian configuration, the latter is most likely what’s involved here: sudo will ask you for your password the first time you use it in any given terminal, then it will keep an authentication token for a certain amount of time. If you re-use sudo in the same terminal within that timeframe, it won’t prompt you for a password.
answered May 8 at 14:39
Stephen Kitt
140k22302363
sudo doesn’t know whether the command it’s asked to run needs to run as some other user (typically root), all it knows is its configuration. That determines which users are allowed to run sudo, with what users as “targetsâ€Â, and for what commands; it also determines whether a password is needed, which one, and whether to keep an authentication token around.
If you’re using the default Debian configuration, the latter is most likely what’s involved here: sudo will ask you for your password the first time you use it in any given terminal, then it will keep an authentication token for a certain amount of time. If you re-use sudo in the same terminal within that timeframe, it won’t prompt you for a password.
answered May 8 at 14:39
Stephen Kitt
140k22302363
edited May 8 at 20:39
answered May 8 at 14:39
Stephen Kitt
140k22302363
answered May 8 at 14:39
Stephen Kitt
140k22302363
answered May 8 at 14:39
Stephen Kitt
140k22302363
140k22302363
Thanks. Do you meansudo du /path/to/some/dirshould either always need my password, or never, regardless of/path/to/some/dir?
– Tim
May 8 at 14:52
12
Yes. It will always need your password (or not). Clearly, if it needs your password but has already stored it in the cache, it won't prompt you to enter it.
– dr01
May 8 at 14:55
5
Strictly speaking it could depend on the path, because/etc/sudoerscan specify commands and their arguments. However if you haven’t added anything like that tosudoers(and if you have, I should hope you’d be aware of it), the arguments won’t matter (nor will the command if you have general access to root viasudo).
– Stephen Kitt
May 8 at 18:04
19
sudodoes not store your password in the cache, only the information that your identity has already been verified once with a password check. Sincesudois a setuid-root program, it already has all the permissions it needs to run anything as anyone - but it is trusted to only allow the users to use it exactly as specified in thesudoersfile, and to reject all other attempts to use it. That's why it is important thatsudois such a small and very well studied program.
– telcoM
May 8 at 20:10
add a comment |Â
Thanks. Do you meansudo du /path/to/some/dirshould either always need my password, or never, regardless of/path/to/some/dir?
– Tim
May 8 at 14:52
12
Yes. It will always need your password (or not). Clearly, if it needs your password but has already stored it in the cache, it won't prompt you to enter it.
– dr01
May 8 at 14:55
5
Strictly speaking it could depend on the path, because/etc/sudoerscan specify commands and their arguments. However if you haven’t added anything like that tosudoers(and if you have, I should hope you’d be aware of it), the arguments won’t matter (nor will the command if you have general access to root viasudo).
– Stephen Kitt
May 8 at 18:04
19
sudodoes not store your password in the cache, only the information that your identity has already been verified once with a password check. Sincesudois a setuid-root program, it already has all the permissions it needs to run anything as anyone - but it is trusted to only allow the users to use it exactly as specified in thesudoersfile, and to reject all other attempts to use it. That's why it is important thatsudois such a small and very well studied program.
– telcoM
May 8 at 20:10
Thanks. Do you mean
sudo du /path/to/some/dir should either always need my password, or never, regardless of /path/to/some/dir?– Tim
May 8 at 14:52
Thanks. Do you mean
sudo du /path/to/some/dir should either always need my password, or never, regardless of /path/to/some/dir?– Tim
May 8 at 14:52
12
12
Yes. It will always need your password (or not). Clearly, if it needs your password but has already stored it in the cache, it won't prompt you to enter it.
– dr01
May 8 at 14:55
Yes. It will always need your password (or not). Clearly, if it needs your password but has already stored it in the cache, it won't prompt you to enter it.
– dr01
May 8 at 14:55
5
5
Strictly speaking it could depend on the path, because
/etc/sudoers can specify commands and their arguments. However if you haven’t added anything like that to sudoers (and if you have, I should hope you’d be aware of it), the arguments won’t matter (nor will the command if you have general access to root via sudo).– Stephen Kitt
May 8 at 18:04
Strictly speaking it could depend on the path, because
/etc/sudoers can specify commands and their arguments. However if you haven’t added anything like that to sudoers (and if you have, I should hope you’d be aware of it), the arguments won’t matter (nor will the command if you have general access to root via sudo).– Stephen Kitt
May 8 at 18:04
19
19
sudo does not store your password in the cache, only the information that your identity has already been verified once with a password check. Since sudo is a setuid-root program, it already has all the permissions it needs to run anything as anyone - but it is trusted to only allow the users to use it exactly as specified in the sudoers file, and to reject all other attempts to use it. That's why it is important that sudo is such a small and very well studied program.– telcoM
May 8 at 20:10
sudo does not store your password in the cache, only the information that your identity has already been verified once with a password check. Since sudo is a setuid-root program, it already has all the permissions it needs to run anything as anyone - but it is trusted to only allow the users to use it exactly as specified in the sudoers file, and to reject all other attempts to use it. That's why it is important that sudo is such a small and very well studied program.– telcoM
May 8 at 20:10
add a comment |Â
up vote
6
down vote
to a command which doesn't actually need sudo
It's not that a command needs or needs not sudo. When you run
sudo -u user command
the system executes command as the user.
Whether the invocation is successful or not, and whether a password is asked or not, depends on the security policy sudoers (usually configured in /etc/sudoers).
answered May 8 at 14:38
dr01
15.2k114768
add a comment |Â
up vote
6
down vote
to a command which doesn't actually need sudo
It's not that a command needs or needs not sudo. When you run
sudo -u user command
the system executes command as the user.
Whether the invocation is successful or not, and whether a password is asked or not, depends on the security policy sudoers (usually configured in /etc/sudoers).
answered May 8 at 14:38
dr01
15.2k114768
add a comment |Â
up vote
6
down vote
up vote
6
down vote
to a command which doesn't actually need sudo
It's not that a command needs or needs not sudo. When you run
sudo -u user command
the system executes command as the user.
Whether the invocation is successful or not, and whether a password is asked or not, depends on the security policy sudoers (usually configured in /etc/sudoers).
answered May 8 at 14:38
dr01
15.2k114768
to a command which doesn't actually need sudo
It's not that a command needs or needs not sudo. When you run
sudo -u user command
the system executes command as the user.
Whether the invocation is successful or not, and whether a password is asked or not, depends on the security policy sudoers (usually configured in /etc/sudoers).
answered May 8 at 14:38
dr01
15.2k114768
answered May 8 at 14:38
dr01
15.2k114768
answered May 8 at 14:38
dr01
15.2k114768
answered May 8 at 14:38
dr01
15.2k114768
15.2k114768
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f442552%2fhow-does-sudo-decide-whether-to-ask-for-a-password-when-given-a-command-which-d%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
15
Deciding whether a program would attempt to do something that only root can do, or access a file that the invoking user is forbidden to access, without actually running the program, is the Halting Problem in disguise. So you can be sure that's not what sudo is doing.
– zwol
May 9 at 4:39
2
+1 because although the question is based on a misconception, the symptoms are clearly explained, and it has one unambiguous answer.
– dcorking
May 9 at 13:34