sudo -k vs. sudo -K
I know what the man page has to say about the -K and -k :
‑K
The ‑K (sure kill) option is like ‑k except that it removes the user's cached credentials entirely and may not be used in conjunction with a command or other option. This option does not require a password. Not all security policies support credential caching.
‑k[command]
When used alone, the ‑k (kill) option to sudo invalidates the user's cached credentials. The next time sudo is run a password will be required. This option does not require a password and was added to allow a user to revoke sudo permissions from a .logout file. Not all security policies support credential caching. When used in conjunction with a command or an option that may require a password, the ‑k option will cause sudo to ignore the user's cached credentials. As a result, sudo will prompt for a password (if one is required by the security policy) and will not update the user's cached credentials.
So if there is no need to use a command in conjunction with these options, am i correct in assuming K is always the better option to use rather that k?
sudo -K
and sudo -k
, without a command, do the same thing: they invalidate the user's cached credentials.
sudo -k command ...
is different: it ignores the user's cached credentials for the current command, but doesn't invalidate them.
Use -k
with a command when you want to run a single command without either using or clobbering your cached credentials. (I'm actually not sure why you'd want to do that, but the capability is there.)
Use either sudo -k
or sudo -K
if you want to clobber your cached credentials.
Summary:
sudo -k # clobbers cached credentials
sudo -K # clobbers cached credentials
sudo -k command # ignores cached credentials
sudo -K command # invalid
UPDATE :
Revisiting this answer, it looks like the only difference between -k
and -K
is that -k
accepts a command and -K
does not. I'm not convinced having two separate options is useful, since -K
doesn't really add any functionality that -k
doesn't provide. There is a subtle difference in wording in the man page; -k
"invalidates the user's cached credentials", while -K
"removes the user's cached credentials entirely". I don't think that indicates a real difference in the way it affects the credentials.
sudo -K
will invalidate your cached credentials across all terminal sessions. This can be useful to run prior to locking your DE.
sudo -k
will only invalidate your cached credentials for the current terminal session.