2

I've set up sudo not to prompt for password by editing the sudoers file:

myuser ALL=(ALL:ALL) NOPASSWD: ALL

And it works fine, running sudo with no password prompting. But when entering sudo -v I noticed that it prompted for password, only once. I know what sudo -v does, from the manual:

If given the -v (validate) option, sudo will update the user's time stamp, prompting for the user's password if necessary. This extends the sudo timeout for another 15 minutes (or whatever the timeout is set to in sudoers) but does not run a command.

And I know I don't need to use it anyway (or am I wrong?).

The question is, why sudo -v prompted for password when sudo is configured not to ask that user from password? And especially when sudo -v is run afterwards another sudo command: why the timestamp isn't updated unless sudo -v is run exiplicitly?

My machine is running Ubuntu Server 11.10 if that mattered.

EDIT: running sudo sudo -v requires no password, but doesn't seem to update the timestamp because when immediately followed by sudo -v, it prompts for password again.

What is the mechanism used in updating sudo timestamp? Why the timestamp is not updated when running any sudo command and then running sudo -v ??

amyassin
  • 1,361
  • 3
  • 19
  • 22

2 Answers2

1

Almost certainly because the Defaults option authenticate is set to on. From the sudoers man page:

authenticate If set, users must authenticate themselves via a password before they may run commands. This default may be overridden by the PASSWD and NOPASSWD tags. This flag is on by default.

In other words, your NOPASSWD flag overrides the password requirement but only for the specified commands. In any other circumstance, password is required. This default was added to close the security loophole caused by the sudo -l command.

itsbruce
  • 1,744
  • 1
  • 10
  • 12
  • But the specified commands are ALL, right? and how can I set `authenticate` to off?? I can't seem to find that in the man page. – amyassin Oct 14 '12 at 10:58
  • *ALL* commands that you run using **sudo**; you are not running sudo using.sudo, however. That is, you are not running **sudo sudo -v**. So it doesn't apply. To change the authenticate setting, consult the section of the man page that deals with defaults and also look at the examples at the end. – itsbruce Oct 14 '12 at 13:26
  • well, running `sudo sudo -v` requires no password, and I thought it will update the timestamp, however, running `sudo -v` immediately after that prompts for password. I've edited that into the question too. – amyassin Oct 15 '12 at 13:07
1

Considering that the sudoers file is something capable of changing, removing the NOPASSWORD parameter from your user is an option that could happen in the 15 minutes following your -v call, so in order to create a timestamp file (that does not exist/is not relevant unless you input a password), you are asked for a password.

If you want to check if you are able to run something, I would recommend that you will run a program to check it such as id, test, or whatever fits your use case.

Edit: If you run sudo -v under sudo or any other command under sudo, the fact that you have run a sudo command successfully does not count as authentication, only if you have entered the password or authenticated using PAM in another way (fingerprint, smart card, private key, etc...).
In recent Ubuntu versions (maybe in other distributions) root can run sudo without a password by default.

Didi Kohen
  • 1,813
  • 9
  • 14