How can I force sudo to always ask for a password after waking from suspend?

Say I execute a command with sudo, then if I use sudo within the next 15/5 minutes (not sure how long it remembers me for) it won't prompt me for a password. It will only prompt me again if I haven't used it for at least that long.

However, if I suspend my machine, wake it up, and login before that time period has ended, I can just execute a sudo command again and it won't ask me for my password because I haven't let it be for the certain amount of time.

So how can I make it so that no matter how long I haven't used sudo for, it will definitely prompt me for a password after the suspend once I've logged in again, even if I'm still within that time frame where the 15/5 minutes of not using sudo haven't passed yet?

The most likely thing that will work is to get it to execute a command to remove all identity caches for sudo upon the execution of a certain command which is executed on wakeup.

I am running Ubuntu GNOME 15.10 with GNOME 3.18.


From man sudo:

     -K, --remove-timestamp
                 Similar to the -k option, except that it removes the user's
                 cached credentials entirely and may not be used in conjunc‐
                 tion with a command or other option.  This option does not
                 require a password.  Not all security policies support cre‐
                 dential caching.

So what you want is your user to run sudo -K each time the system suspends.

Ubuntu 15.04+ (systemd)

This can be done on Ubuntu 15.04+ by placing a script in /lib/systemd/system-sleep/.

  1. Run sudo nano /lib/systemd/system-sleep/disable_sudo_user (replace user with your user's username for convenience);
  2. Paste in the following script (replace user with your user's username):
#!/bin/sh
case $1/$2 in
    pre/suspend)
        su user -c 'sudo -K'
        ;;
esac
  1. Hit CTRL+O, ENTER and CTRL+X;

  2. Run sudo chmod o+x /lib/systemd/system-sleep/disable_sudo_user;


To enable this also for hibernation / hybrid-sleep, use this script instead:

#!/bin/sh
case $1 in
    pre)
        su user -c 'sudo -K'
        ;;
esac

Previous Ubuntu versions (Upstart)

This can be done on previous Ubuntu versions by placing a script in /etc/pm/sleep.d/.

  1. Run sudo nano /etc/pm/sleep.d/disable_sudo_user (replace user with your user's username for convenience);
  2. Paste in the following script (replace user with your user's username):
#!/bin/sh
case $1 in
    suspend)
        su user -c 'sudo -K'
        ;;
esac
  1. Hit CTRL+O, ENTER and CTRL+X;

  2. Run sudo chmod o+x /etc/pm/sleep.d/disable_sudo_user;


To enable this also for hibernation, use this script instead:

#!/bin/sh
case $1 in
    suspend|hybernate)
        su user -c 'sudo -K'
        ;;
esac

Only if you are that paranoid! You can use the -K option of sudo.

-K, --reset-timestamp
       When used without a command, invalidates the user's cached credentials.  
       In other words, the next time sudo is run a password will be required.  
       This option does not require a password and was added to allow a user to revoke
       sudo permissions from a .logout file.

       When used in conjunction with a command or an option that may require a 
       password, this option will cause sudo to ignore the user's cached credentials.  
       As a result, sudo will prompt for a password (if one is required by the 
       security policy) and will not update the user's cached credentials.

       Not all security policies support credential caching.

for example,

sudo -K <command>

Or you could just leave your computer in a metal box guarded by robots :)