How can I force sudo to always ask for a password after waking from suspend?
Say I execute a command with sudo, then if I use sudo within the next 15/5 minutes (not sure how long it remembers me for) it won't prompt me for a password. It will only prompt me again if I haven't used it for at least that long.
However, if I suspend my machine, wake it up, and login before that time period has ended, I can just execute a sudo command again and it won't ask me for my password because I haven't let it be for the certain amount of time.
So how can I make it so that no matter how long I haven't used sudo for, it will definitely prompt me for a password after the suspend once I've logged in again, even if I'm still within that time frame where the 15/5 minutes of not using sudo haven't passed yet?
The most likely thing that will work is to get it to execute a command to remove all identity caches for sudo upon the execution of a certain command which is executed on wakeup.
I am running Ubuntu GNOME 15.10 with GNOME 3.18.
From man sudo:
-K, --remove-timestamp
Similar to the -k option, except that it removes the user's
cached credentials entirely and may not be used in conjunc‐
tion with a command or other option. This option does not
require a password. Not all security policies support cre‐
dential caching.
So what you want is your user to run sudo -K each time the system suspends.
Ubuntu 15.04+ (systemd)
This can be done on Ubuntu 15.04+ by placing a script in /lib/systemd/system-sleep/.
- Run
sudo nano /lib/systemd/system-sleep/disable_sudo_user(replaceuserwith your user's username for convenience); - Paste in the following script (replace
userwith your user's username):
#!/bin/sh
case $1/$2 in
pre/suspend)
su user -c 'sudo -K'
;;
esac
Hit CTRL+O, ENTER and CTRL+X;
Run
sudo chmod o+x /lib/systemd/system-sleep/disable_sudo_user;
To enable this also for hibernation / hybrid-sleep, use this script instead:
#!/bin/sh
case $1 in
pre)
su user -c 'sudo -K'
;;
esac
Previous Ubuntu versions (Upstart)
This can be done on previous Ubuntu versions by placing a script in /etc/pm/sleep.d/.
- Run
sudo nano /etc/pm/sleep.d/disable_sudo_user(replaceuserwith your user's username for convenience); - Paste in the following script (replace
userwith your user's username):
#!/bin/sh
case $1 in
suspend)
su user -c 'sudo -K'
;;
esac
Hit CTRL+O, ENTER and CTRL+X;
Run
sudo chmod o+x /etc/pm/sleep.d/disable_sudo_user;
To enable this also for hibernation, use this script instead:
#!/bin/sh
case $1 in
suspend|hybernate)
su user -c 'sudo -K'
;;
esac
Only if you are that paranoid! You can use the -K option of sudo.
-K, --reset-timestamp
When used without a command, invalidates the user's cached credentials.
In other words, the next time sudo is run a password will be required.
This option does not require a password and was added to allow a user to revoke
sudo permissions from a .logout file.
When used in conjunction with a command or an option that may require a
password, this option will cause sudo to ignore the user's cached credentials.
As a result, sudo will prompt for a password (if one is required by the
security policy) and will not update the user's cached credentials.
Not all security policies support credential caching.
for example,
sudo -K <command>
Or you could just leave your computer in a metal box guarded by robots :)