How do I force `sudo` to ask for a password each time when a specific command is used?

command-line password sudo

Is there a way to force the sudo command to ask for a password each time when I'm using sudo rm /path/file?

I want to protect my self from stupid mistakes, committed due to low attention when I'm running some commands from the history.


As noted in other answers, sudo can set a timeout on the cached credential timestamp. This can be done specifically for a given command using Defaults in sudoers:

Defaults!/bin/rm timestamp_timeout=0

Always remember to edit sudoers with visudo. I recommend a drop-in file in /etc/sudoers.d instead of editing /etc/sudoers directly. For example:

sudo visudo -f /etc/sudoers.d/always-ask-pass-for-rm

From the manpage for sudoers:

Defaults

Certain configuration options may be changed from their default values at run-time via one or more Default_Entry lines. These may affect all users on any host, all users on a specific host, a specific user, a specific command, or commands being run as a specific user. Note that per-command entries may not include command line arguments. If you need to specify arguments, define a Cmnd_Alias and reference that instead.

Default_Type ::= 'Defaults' |
                 'Defaults' '@' Host_List |
                 'Defaults' ':' User_List |
                 'Defaults' '!' Cmnd_List |
                 'Defaults' '>' Runas_List

Default_Entry ::= Default_Type Parameter_List

Parameter_List ::= Parameter |
                   Parameter ',' Parameter_List

Parameter ::= Parameter '=' Value |
              Parameter '+=' Value |
              Parameter '-=' Value |
              '!'* Parameter

Note that it does say you can affect "commands being run as a specific user", but doesn't mention commands being run by a specific user, so it might not be possible to constrain it only for your user. The examples in the manpage don't include anything for that.


You can use k option with sudo to reset the timestamp.

If sudo -k is used as a command, it would expire/invalidate the cached credentials immediately.

But if sudo -k is used with some command, for example, sudo -k rm /some/file, the shell would ask for password even if some credentials are already cached. In this case, the new credentials won't be cached. That means if another command with sudo is executed after that, it won't ask for password (if credentials were cached previously).

From sudo's manpage:

-k [command]

        When used alone, the -k (kill) option to sudo invalidates the user's cached credentials. The next time sudo is run a password will be required. This option does not require a password and was added to allow a user to revoke sudo permissions from a .logout file. Not all security policies support credential caching.

        When used in conjunction with a command or an option that may require a password, the -k option will cause sudo to ignore the user's cached credentials. As a result, sudo will prompt for a password (if one is required by the security policy) and will not update the user's cached credentials.

If you want to make sudo to ask for password for specific commands without using k every time, you can define custom functions in .bashrc. For example, from pa4080's comment:

sudo() { if [[ $@ =~ ^rm ]]; then /usr/bin/sudo -k "$@"; else /usr/bin/sudo "$@"; fi; }

Related

How to remove all LVs VGs and Partitions On All Drives Before Installing 12.04
Can Ubuntu Server 10.04.4 LTS be upgraded to NON-LTS?
How do I change the date format in Gnome 3 shell?
Where can I find a Subversion 1.8 binary?
How to install Kazam 1.5.3?
Using locate to find a directory
Gimp colours do not fill correctly
Exit file explorer in Vim without closing
Telegram Persian font changed after upgrade to 18.10!
Is it possible to install Ubuntu without formatting any partitions?
Is it possible to install Firefox on Ubuntu with no desktop enviroment?
Is there a command that returns network utilization?