1. Introduction
The sudo command allows a regular user to execute commands with superuser rights. When performing administrative tasks, we might need sudo multiple times within a given timeframe.
In this tutorial, we explore the sudo session time and how to modify it. First, we talk about the reason we need such a tool and what its alternatives might look like. After that, we show how to completely remove password entry requirements with sudo. Finally, we use an option to modify the time of a sudo session.
We tested the code in this tutorial on Debian 11 (Bullseye) with GNU Bash 5.1.4. It should work in most POSIX-compliant environments.
2. Superuser Access Restrictions
Sometimes, an administrator might need permanent superuser access for multiple commands over a longer time span.
2.1. Login as root
One way to execute many commands as a superuser is to log in as the root user:
$ su
Password:
#In fact, we can even use sudo to provide our own password instead of setting a password for root:
$ sudo su
[sudo] password for baeldung:
#However, logging in as root is discouraged due to the power it provides over the system. For example, commands like rm and chmod would be allowed to run rampant from the filesystem root / when we run them as the root user:
# echo $path
# rm --recursive --force /$path
# chmod --recursive baeldung:baeldung /$pathBoth of the last two commands above can result in potentially disastrous problems. Of course, using sudo would result in the same, but it can be the step that causes users and administrators to reevaluate such actions and their consequences.
2.2. Scripts and One-Liners
Other ways to run more than one superuser command at once include scripts and one-liners:
$ sudo /admin.sh
Script in superuser context.
$ sudo -- bash -c 'echo "Run"; echo "multiple"; echo "commands.";'
[sudo] password for baeldung:
Run
multiple
commands.First, we run the admin.sh script with sudo. After that, we use the -c switch of bash to run a number of semicolon-separated commands within single quotes.
Of course, these methods can quickly become inconvenient, especially when working with many unrelated commands or for a longer period.
3. sudo Session Period
Usually, we enter a password when running sudo. Yet, because of the inconveniences this may cause, sudo remembers the correct password entry for a period of time, i.e., a session.
As we did for sudo environment variable rules, we can change the sudoers configuration via /etc/sudoers or a new file under /etc/sudoers.d/ (for some Linux distributions):
$ cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
[...]To modify any sudoers file, we use visudo, which protects against syntax errors and parallel changes.
So, to turn off the password entry requirement for a given user altogether, we can add the following line to /etc/sudoers via visudo:
Defaults:baeldung !authenticateNow, user baeldung needs to prepend sudo to any command they want to be executed as a superuser. As this further diminishes the border between such a user and root, it’s not recommended.
Notably, the time of a sudo session is hardcoded to 5 minutes (300 seconds), although there is no explicit line in the configuration by default.
Of course, we can modify that, too:
Defaults timestamp_timeout=666In this case, we configure the session length to 666 minutes via the timestamp_timeout option. Using 0 forces sudo to always require a password, while a negative value means infinite session lengths for the lifetime of the shell and terminal.
4. Summary
In this article, we talked about sudo sessions, why we need them, and how to control their lengths.
In conclusion, while circumventing the sudo mechanism altogether doesn’t coincide with best practices in most cases, increasing the time of a sudo session can sometimes be more convenient.