sudo credential caching on by default
Solution 1:
It actually caches the right to elevate, but not your password, and has done so for quite a while. However, it does so for only fifteen minutes, by default. This is by design:
From http://linux.die.net/man/8/sudo:
Once a user has been authenticated, a time stamp is updated and the user may then use sudo without a password for a short period of time (5 minutes unless overridden in sudoers).
and as a note of security from man sudoers:
sudo will check the ownership of its time stamp directory (/var/db/sudo by default) and ignore the directory's contents if it is not owned by root or if it is writable by a user other than root. On systems that allow non-root users to give away files via chown(2), if the time stamp directory is located in a directory writable by anyone (e.g., /tmp), it is possible for a user to create the time stamp directory before sudo is run. However, because sudo checks the ownership and mode of the directory and its contents, the only damage that can be done is to "hide" files by putting them in the time stamp dir. This is unlikely to happen since once the time stamp dir is owned by root and inaccessible by any other user, the user placing files there would be unable to get them back out. To get around this issue you can use a directory that is not world-writable for the time stamps (/var/adm/sudo for instance) or create /var/db/sudo with the appropriate owner (root) and permissions (0700) in the system startup files.
and from the same page:
Since time stamp files live in the file system, they can outlive a user's login session. As a result, a user may be able to login, run a command with sudo after authenticating, logout, login again, and run sudo without authenticating so long as the time stamp file's modification time is within 5 minutes (or whatever the timeout is set to in sudoers). When the tty_tickets option is enabled in sudoers, the time stamp has per-tty granularity but still may outlive the user's session. On Linux systems where the devpts filesystem is used, Solaris systems with the devices filesystem, as well as other systems that utilize a devfs filesystem that monotonically increase the inode number of devices as they are created (such as Mac OS X), sudo is able to determine when a tty-based time stamp file is stale and will ignore it. Administrators should not rely on this feature as it is not universally available.
As seen here, this behavior has persisted for a long time.
If you want to change this, use visudo
to set the timestamp_timeout
option.