sudo permission doesn't time out durring apt-get upgrade

Solution 1:

You aren't prompted for a password because sudo has done it's job and started apt-get as root. While it's in the prompt, the apt-get process is still running, and so since it's still running as root, there's no need to enter your password again.

In other words, as long as a sudo'ed process is running, you won't be asked to enter your password again for that process; sudo doesn't interrupt the process every 15 minutes (the default timeout) and ask for your password.

Now, if you were to open another terminal and try to run another process under sudo, then you will be prompted for your password.

Solution 2:

sudo's default timestamp_timeout variable is 15 minutes. This means that if you click n on sudo apt-get upgrade within 15 minutes, you can anticipate entering root shell with sudo -i. That's exactly what happened. However, if you set that in /etc/sudoers as Default timestamp_timeout 0 , you will be prompted for it every time. Personally, I've set it to 3. If your sudo doesn't time out even after 15 minutes, then there's something seriously wrong with your sudo binary.

This behavior isn't a security hole, but rather a "convenience feature" for the sudo users. However, I can agree that for tighter security the timestamp_timeout has to be set to much shorter time than 15 minutes.

Note: passwd_timeout option that I've mentioned in my comment actually times out the password prompt when you don't type in password for x minutes. That's one of the nice moments where you realize that you should read man sudoers much more carefully.