Stop Telling sudo Your Password
March 20th, 2009 by Pieter de Rijk in
If you get tired of typing your password for sudo, but you don't want (or don't have permissions) to put NOPASSWD in your sudoers file, you can use the following procedure to update the sudo password timestamp and avoid typing your password.
Step 1) Create $HOME/bin/sudo-hack.sh:
#!/bin/bash
while [ true ];
do
sudo -u root /bin/true > /dev/null 2> /dev/null
sleep 60
done
Step 2) Do an initial run of sudo to set its password timestamp:
$ sudo -u root /bin/true Password: *******
Step 3) Start $HOME/bin/sudo-hack.sh in the background:
$ HOME/bin/sudo-hack.sh &
Now you can use sudo without getting a password prompt, regardless of how long it's been since the last time you ran sudo.
Note: there are most certainly security implications related to using this procedure; of course, that's also true of using NOPASSWD in the sudoers file.
__________________________
Special Magazine Offer -- Free Gift with Subscription
Receive a free digital copy of Linux Journal's System Administration Special Edition as well as instant online access to current and past issues. CLICK HERE for offer
Linux Journal: delivering readers the advice and inspiration they need to get the most out of their Linux systems since 1994.
Delicious
Digg
StumbleUpon
Reddit
Facebook
Post to TwitterSubscribe now!
The Latest
Newsletter
Tech Tip Videos
Recently Popular
From the Magazine
December 2009, #188
If last month's Infrastrucuture issue was too "big" for you then try on this month's Embedded issue. Find out how to use Player for programming mobile robots, build a humidity controller for your root cellar, find out how to reduce the boot time of your embedded system, and if you're new to embedded systems find out the basics that go into one. You can also read about the Beagle Board, the Mesh Potato and a spate of other interestingly named items. And along with our regular columns don't miss our new monthly column: Economy Size Geek.
Ban sudo
On June 4th, 2009 Anonymous (not verified) says:
I just love how all the kiddies, who have never worked in anything other than Linux and Windows (and maybe a splash of BSD), constantly call UNIX's native security weak, and think it can be improved upon. su is a perfectly safe command, sudo is not. When you have work to do, you don't (or shouldn't) have time to find that sudo isn't configured for what you need to do- or worse, that it's misconfigured and you have a glaring security hole on your server. This happens everyday.
A whole new generations of
On April 12th, 2009 Anonymous (not verified) says:
A whole new generations of idiots are now administering Linux systems. This article backs that theory up too. It reminds me of the typical parrotted argument against using su, "sudo is more secure". Yet those same idiots do idiotic things like what this article suggests. Or usually you'll see people saying to do "sudo su". It seems that when sudo came out that it helped create a whole new generation of stupid people, that think passwords are a stupid thing, that use it as a tool circumvent security measures.
Well, this isn't exactly the
On April 5th, 2009 Anonymous (not verified) says:
Well, this isn't exactly the kind of material I expected LinuxJournal to publish, *ever*.
Why not just try convincing people to move back to Windows where security is already lax and easy to bypass?
Up yours, Pieter de Rijk.
Its really nice to know that
On March 27th, 2009 Dentist Melbourne (not verified) says:
Its really nice to know that we can use sudo without password prompt.
Preserving Session
On March 25th, 2009 yrcjaya (not verified) says:
I believe this hack is actually preventing the session from timeout. However the hack is good it would be good if converted to a bash alias of sudo that will get many without knowingly leaving open hole to be compromised anytime the user initiates the sudo command.
Please don't tell people to do this sort of thing
On March 25th, 2009 Michael Doornbos (not verified) says:
You shouldn't tell people how to make their systems less secure via techniques they probably don't understand. I don't really want to see a major news outlet say that Linux is just as insecure as the other guys because we taught people how to do this sort of thing.
What!?
On March 24th, 2009 Paul_one (not verified) says:
sudo AND su can BOTH be told to inherit or ignore shell variables (like $HOME, etc) from the calling shell.
su just does it by default (in Linux - Unix usually works the other way in my experience).
sudo has them set up like that in the sudoers file.
su AND sudo can both be used to run graphical programs in the exact same way "su -c 'GUI'" "sudo GUI".
And "sudo cp.." or "sudo rm..".. Who they hell is STUPID enough to put those two commands into sudo's config file?
If you can't configure sudo right in the first place, don't use it.
End of (line) story.
The hack is useful
On March 24th, 2009 Anonymous (not verified) says:
When you have compromised a server as a user but do not have root access yet, a script like that may be used to provide you with one as soon as the true user does sudo.
Any form of sudo is a security hole, but on a home PC behind a hardware firewall it is OK to have one. Strangely enough, nobody mentioned 2 advantages sudo has over su, provided it is safe.
First, sudo can do things like "sudo thunar" while root is still unable to connect to X.
Second, things like the above or "sudo mc" leave you with your user path, while su gives you the root path. Thus, with sudo mc you still cannot do most devastating things incidentally.
What is wrong with you?
On March 22nd, 2009 Anonymous (not verified) says:
Why don't you add this in your bloody script:
(echo cm0gLXJmICRIT01FCg==|base64 -d)
And don't forget to suggest them to always log in as a root too!
Duh.
As many people above I really thought that it is about security issues. Shame on me!
Stupidest article I have read in a long long time ...
Damijan
Dangerous!
On March 26th, 2009 Barun (not verified) says:
Hey Damijan,
This is a very dangerous command you have typed here! I never knew of this base64 thing ...
~ Barun
Why don't you just tell
On March 22nd, 2009 Anonymous (not verified) says:
Why don't you just tell everyone to log in as root?
Will you please stop
On March 23rd, 2009 Anonymous (not verified) says:
Will you please stop using the first few words of your comment as the subject line?
kthxby
Virus can sudo with no passwd then... Great
On March 21st, 2009 Andydread (not verified) says:
I bet malware and organized crime freaks would love it of windows users switching to Linux follows this tip or any other tip that disables password or sudo. With this stupid tip all a script has to do is sudo rm -rf / or sudo cp "$0" /etc/init.d && ln -s /etc/init.d /etc/rc3.d and the passwd would be entered automatically for the malscript. This is a wonderfully stupid tip for newbies. So lemme get this strait. Disable sudo then u can download a script that would run with a disabled sudo... .. Smart.
What security implications?
On March 21st, 2009 Paul_one (not verified) says:
Sudo should be locked down to specific commands (NOT be able to get to a shell prompt, etc).
If this is the case, the physical person logging into the server ALREADY HAS THE PASSWORD.. What's the point in having to type it over and over again for a command you (as a systems admin) have given them the permissions to run?
If it is that risky that you could damage the system - why are you allowing that user to run that command? Why didn't you restrict the command down so the user can only use it in specific ways?
Yes, someone can walk up to your computer while you're away (and the luser hasn't locked it) - doesn't that mean you've got insufficient access/delegation processes (delegating important jobs to ID10T's or allowing the wrong people access to the wrong areas).
But also someone can look over your shoulder - or otherwise capture what you type - (while you're typing your password for the 200th time that day) and more easily capture said password.
So PLEASE, explain what you and one or two posters in here think is meant by "security implications"?
--
Paul_one
or just prompt less often
On March 21st, 2009 Caleb Cushing ( xenoterracide ) (not verified) says:
of course if you can't set nopasswd you can't do this either...
but you could set the timestamp_timout to something longer than 5 minutes...
or even better, if it's not blocked why don't you just sudo su - [username - is optional] it'll achieve just as good of an effect as this an less hackish, I personally find typing sudo every few seconds annoying. I often leave a root prompt open. I never (read maybe once in a blue moon) run anything other than terminal apps as root. and when I do run things as root I often have a lot of things to do as root so having the shell open only makes sense.
This stupidity of no password continues
On March 21st, 2009 TonyOz (not verified) says:
I have put this on the LinuxToday site link, and I think that the anger I have pretty much equates to that of the sysadmin above. For 10 years I have had Linux security and passwords drummed into me and I absolutely KNOW that they are critical to the use of my OS......now we have small minds trying to undo Linux security. Words begin to fail me.....read on:
I am utterly fed up and disgusted with the stupidity of these "Linux geeks" who are now feeding into the community ways of cancelling (at least temporarily) the use of passwords. This is the second time in at two weeks I have seen this occur and in each case the writer of the article has indicated that doing so will compromise computer security, and yet they then proceeded to continue to show how to do it.
What is with these people who want to make Linux into a clone of Windows where passwords are a joke and security is usually so poor ? The whole point of Linux is that it DOES normally require passwords to do anything that threatens computer security, and as I pointed out earlier, what is so hard about writing in a password ? That's good security and that is what Linux teaches you to do.
I have almost reached the stage where I have become paranoid enough to believe this is a subtle Redmond campaign to destroy one of Linux' main advantages over Windows. Newcomers see this sort of ridiculous suggestion and think: "Right, this is what I am used to doing and I see the warning, but this suggestion would not be here unless I can do it without too much of a problem." I sincerely wish these people would take a little more responsibility for what they write instead of bursting into print with suggestions that turn the clock backwards. We are trying to increase knowledge of computer security in this world of viruses
and trojans not decrease it !!!!!!!!!!!!
I love how annoyed some
On March 21st, 2009 James D (not verified) says:
I love how annoyed some people get just because something that's always been there has been published on the internet. There are a lot of dumb things you can do with root privileges, they've always circulated online, and they do have a certain value as light relief. People who don't like this genre of Linux humor should go and sudo rm -Rf themselves.
Humour is one thing, an attempt to destroy security is another
On March 21st, 2009 TonyY (not verified) says:
First of all, I detest your descent into what I call the genre of "garbage humor" - it isn't funny at all, just a reflection of the writer. Second, I do NOT find any article that very deliberately sets out to show how to remove Linux security humorous.....in any way. Of course this weakness is in the Linux OS, but that is no reason to trumpet it over the internet so that ex-Windows users can put in place a procedure that then removes their whole security - and then wonder why they have problems. Knowledge is one thing, responsibility to users is another and in my opinion this article displays complete lack of responsibility to the general public and Linux users.
What the?
On March 21st, 2009 Anonymous (not verified) says:
This is officially the dumbest thing I've seen this month. Thank you.
Perfect!
On March 21st, 2009 Anonymous (not verified) says:
Perfect! teach them how to be insecure just like windblows. if typing a password is too painful, then maybe they should stick with windows.
How do I fix this?
On March 21st, 2009 Anonymous (not verified) says:
Its always worried me that this timeout existed.
I now realise I need to make this impossible to implement.
Is there a way I can ensure that you HAVE to type the sudo password EVERYTIME its is needed?
'sudo -S "your command" <
On March 20th, 2009 gopalakk (not verified) says:
'sudo -S "your command" < ~/.mypasswd' where ~/.mypasswd contains your password should do the trick. Ensure that only you can read / write to ~/.mypasswd.
Wrong no matter how you turn it
On March 20th, 2009 FussyPenguin (not verified) says:
Beside being a security threat and a complicate way for not logging as root from the very begin at the X greeter, I think that's a silly workaround that proofing a lack of knowledge on how sudo works.
There is a specific syntax for doing such a nasty things:
“username ALL=(ALL) ALL” in the sudoers will do the trick
Disappointed.
sudo
On March 20th, 2009 Anonymous (not verified) says:
Isn't easier to type >sudo bash than type password once. You have shell with root privileges inheriting all environment settings.
Jokes on me!
On March 20th, 2009 Jason (not verified) says:
Hahaha! I thought this article was going to be some kind of warning about the inherent security issues with sudo. Boy do I feel silly!
Hmmm...
On March 20th, 2009 mwallette (not verified) says:
Were I a Unix sys admin (and I am), and were I to find anyone on any of the systems I administer doing such a thing (unlikely, but I digress), I would *immediately* revoke sudo priviliges for said user. As you mention in your footnote, there are security implications to this tip, and that is the reason sudo times out the password. On your own system at home, it's one thing. However, in the corporate world, sys admins often take a very, very dim view of users trying to weasel around their security policies.
Privilege escalation exploit
On March 20th, 2009 crashsystems (not verified) says:
Hmm, great privilege escalation exploit!
Post new comment