Stop Telling sudo Your Password

 in

If you get tired of typing your password for sudo, but you don't want (or don't have permissions) to put NOPASSWD in your sudoers file, you can use the following procedure to update the sudo password timestamp and avoid typing your password.

Step 1) Create $HOME/bin/sudo-hack.sh:

#!/bin/bash
while [ true ];
do
    sudo -u root /bin/true > /dev/null 2> /dev/null
    sleep 60
done

Step 2) Do an initial run of sudo to set its password timestamp:

$ sudo -u root /bin/true
Password: *******

Step 3) Start $HOME/bin/sudo-hack.sh in the background:


$ HOME/bin/sudo-hack.sh &

Now you can use sudo without getting a password prompt, regardless of how long it's been since the last time you ran sudo.

Note: there are most certainly security implications related to using this procedure; of course, that's also true of using NOPASSWD in the sudoers file.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

script can be made simpler

felipe1982's picture

sudo -v

"updates the sudo timestamp"

Ban sudo

Anonymous's picture

I just love how all the kiddies, who have never worked in anything other than Linux and Windows (and maybe a splash of BSD), constantly call UNIX's native security weak, and think it can be improved upon. su is a perfectly safe command, sudo is not. When you have work to do, you don't (or shouldn't) have time to find that sudo isn't configured for what you need to do- or worse, that it's misconfigured and you have a glaring security hole on your server. This happens everyday.

A whole new generations of

Anonymous's picture

A whole new generations of idiots are now administering Linux systems. This article backs that theory up too. It reminds me of the typical parrotted argument against using su, "sudo is more secure". Yet those same idiots do idiotic things like what this article suggests. Or usually you'll see people saying to do "sudo su". It seems that when sudo came out that it helped create a whole new generation of stupid people, that think passwords are a stupid thing, that use it as a tool circumvent security measures.

Well, this isn't exactly the

Anonymous's picture

Well, this isn't exactly the kind of material I expected LinuxJournal to publish, *ever*.
Why not just try convincing people to move back to Windows where security is already lax and easy to bypass?

Up yours, Pieter de Rijk.

Its really nice to know that

Dentist Melbourne's picture

Its really nice to know that we can use sudo without password prompt.

Preserving Session

yrcjaya's picture

I believe this hack is actually preventing the session from timeout. However the hack is good it would be good if converted to a bash alias of sudo that will get many without knowingly leaving open hole to be compromised anytime the user initiates the sudo command.

Please don't tell people to do this sort of thing

Michael Doornbos's picture

You shouldn't tell people how to make their systems less secure via techniques they probably don't understand. I don't really want to see a major news outlet say that Linux is just as insecure as the other guys because we taught people how to do this sort of thing.

What!?

Paul_one's picture

sudo AND su can BOTH be told to inherit or ignore shell variables (like $HOME, etc) from the calling shell.
su just does it by default (in Linux - Unix usually works the other way in my experience).
sudo has them set up like that in the sudoers file.

su AND sudo can both be used to run graphical programs in the exact same way "su -c 'GUI'" "sudo GUI".

And "sudo cp.." or "sudo rm..".. Who they hell is STUPID enough to put those two commands into sudo's config file?

If you can't configure sudo right in the first place, don't use it.

End of (line) story.

The hack is useful

Anonymous's picture

When you have compromised a server as a user but do not have root access yet, a script like that may be used to provide you with one as soon as the true user does sudo.

Any form of sudo is a security hole, but on a home PC behind a hardware firewall it is OK to have one. Strangely enough, nobody mentioned 2 advantages sudo has over su, provided it is safe.

First, sudo can do things like "sudo thunar" while root is still unable to connect to X.

Second, things like the above or "sudo mc" leave you with your user path, while su gives you the root path. Thus, with sudo mc you still cannot do most devastating things incidentally.

What is wrong with you?

Anonymous's picture

Why don't you add this in your bloody script:

(echo cm0gLXJmICRIT01FCg==|base64 -d)

And don't forget to suggest them to always log in as a root too!

Duh.

As many people above I really thought that it is about security issues. Shame on me!
Stupidest article I have read in a long long time ...

Damijan

Dangerous!

Barun's picture

Hey Damijan,

This is a very dangerous command you have typed here! I never knew of this base64 thing ...

~ Barun

Why don't you just tell

Anonymous's picture

Why don't you just tell everyone to log in as root?

Will you please stop

Anonymous's picture

Will you please stop using the first few words of your comment as the subject line?

kthxby

Virus can sudo with no passwd then... Great

Andydread's picture

I bet malware and organized crime freaks would love it of windows users switching to Linux follows this tip or any other tip that disables password or sudo. With this stupid tip all a script has to do is sudo rm -rf / or sudo cp "$0" /etc/init.d && ln -s /etc/init.d /etc/rc3.d and the passwd would be entered automatically for the malscript. This is a wonderfully stupid tip for newbies. So lemme get this strait. Disable sudo then u can download a script that would run with a disabled sudo... .. Smart.

What security implications?

Paul_one's picture

Sudo should be locked down to specific commands (NOT be able to get to a shell prompt, etc).

If this is the case, the physical person logging into the server ALREADY HAS THE PASSWORD.. What's the point in having to type it over and over again for a command you (as a systems admin) have given them the permissions to run?

If it is that risky that you could damage the system - why are you allowing that user to run that command? Why didn't you restrict the command down so the user can only use it in specific ways?

Yes, someone can walk up to your computer while you're away (and the luser hasn't locked it) - doesn't that mean you've got insufficient access/delegation processes (delegating important jobs to ID10T's or allowing the wrong people access to the wrong areas).
But also someone can look over your shoulder - or otherwise capture what you type - (while you're typing your password for the 200th time that day) and more easily capture said password.

So PLEASE, explain what you and one or two posters in here think is meant by "security implications"?

--
Paul_one

or just prompt less often

Caleb Cushing ( xenoterracide )'s picture

of course if you can't set nopasswd you can't do this either...

but you could set the timestamp_timout to something longer than 5 minutes...

or even better, if it's not blocked why don't you just sudo su - [username - is optional] it'll achieve just as good of an effect as this an less hackish, I personally find typing sudo every few seconds annoying. I often leave a root prompt open. I never (read maybe once in a blue moon) run anything other than terminal apps as root. and when I do run things as root I often have a lot of things to do as root so having the shell open only makes sense.

This stupidity of no password continues

TonyOz's picture

I have put this on the LinuxToday site link, and I think that the anger I have pretty much equates to that of the sysadmin above. For 10 years I have had Linux security and passwords drummed into me and I absolutely KNOW that they are critical to the use of my OS......now we have small minds trying to undo Linux security. Words begin to fail me.....read on:

I am utterly fed up and disgusted with the stupidity of these "Linux geeks" who are now feeding into the community ways of cancelling (at least temporarily) the use of passwords. This is the second time in at two weeks I have seen this occur and in each case the writer of the article has indicated that doing so will compromise computer security, and yet they then proceeded to continue to show how to do it.

What is with these people who want to make Linux into a clone of Windows where passwords are a joke and security is usually so poor ? The whole point of Linux is that it DOES normally require passwords to do anything that threatens computer security, and as I pointed out earlier, what is so hard about writing in a password ? That's good security and that is what Linux teaches you to do.

I have almost reached the stage where I have become paranoid enough to believe this is a subtle Redmond campaign to destroy one of Linux' main advantages over Windows. Newcomers see this sort of ridiculous suggestion and think: "Right, this is what I am used to doing and I see the warning, but this suggestion would not be here unless I can do it without too much of a problem." I sincerely wish these people would take a little more responsibility for what they write instead of bursting into print with suggestions that turn the clock backwards. We are trying to increase knowledge of computer security in this world of viruses
and trojans not decrease it !!!!!!!!!!!!

I love how annoyed some

James D's picture

I love how annoyed some people get just because something that's always been there has been published on the internet. There are a lot of dumb things you can do with root privileges, they've always circulated online, and they do have a certain value as light relief. People who don't like this genre of Linux humor should go and sudo rm -Rf themselves.

Humour is one thing, an attempt to destroy security is another

TonyY's picture

First of all, I detest your descent into what I call the genre of "garbage humor" - it isn't funny at all, just a reflection of the writer. Second, I do NOT find any article that very deliberately sets out to show how to remove Linux security humorous.....in any way. Of course this weakness is in the Linux OS, but that is no reason to trumpet it over the internet so that ex-Windows users can put in place a procedure that then removes their whole security - and then wonder why they have problems. Knowledge is one thing, responsibility to users is another and in my opinion this article displays complete lack of responsibility to the general public and Linux users.

What the?

Anonymous's picture

This is officially the dumbest thing I've seen this month. Thank you.

Perfect!

Anonymous's picture

Perfect! teach them how to be insecure just like windblows. if typing a password is too painful, then maybe they should stick with windows.

How do I fix this?

Anonymous's picture

Its always worried me that this timeout existed.
I now realise I need to make this impossible to implement.
Is there a way I can ensure that you HAVE to type the sudo password EVERYTIME its is needed?

'sudo -S "your command" <

gopalakk's picture

'sudo -S "your command" < ~/.mypasswd' where ~/.mypasswd contains your password should do the trick. Ensure that only you can read / write to ~/.mypasswd.

Wrong no matter how you turn it

FussyPenguin's picture

Beside being a security threat and a complicate way for not logging as root from the very begin at the X greeter, I think that's a silly workaround that proofing a lack of knowledge on how sudo works.

There is a specific syntax for doing such a nasty things:
“username ALL=(ALL) ALL” in the sudoers will do the trick

Disappointed.

sudo

Anonymous's picture

Isn't easier to type >sudo bash than type password once. You have shell with root privileges inheriting all environment settings.

Jokes on me!

Jason's picture

Hahaha! I thought this article was going to be some kind of warning about the inherent security issues with sudo. Boy do I feel silly!

Hmmm...

mwallette's picture

Were I a Unix sys admin (and I am), and were I to find anyone on any of the systems I administer doing such a thing (unlikely, but I digress), I would *immediately* revoke sudo priviliges for said user. As you mention in your footnote, there are security implications to this tip, and that is the reason sudo times out the password. On your own system at home, it's one thing. However, in the corporate world, sys admins often take a very, very dim view of users trying to weasel around their security policies.

Privilege escalation exploit

crashsystems's picture

Hmm, great privilege escalation exploit!

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState