How do I force `sudo` to ask for a password each time when a specific command is used?

command-line sudo password

5,568

Solution 1

As noted in other answers, sudo can set a timeout on the cached credential timestamp. This can be done specifically for a given command using Defaults in sudoers:

Defaults!/bin/rm timestamp_timeout=0

Always remember to edit sudoers with visudo. I recommend a drop-in file in /etc/sudoers.d instead of editing /etc/sudoers directly. For example:

sudo visudo -f /etc/sudoers.d/always-ask-pass-for-rm

From the manpage for sudoers:

Defaults

Certain configuration options may be changed from their default values at run-time via one or more Default_Entry lines. These may affect all users on any host, all users on a specific host, a specific user, a specific command, or commands being run as a specific user. Note that per-command entries may not include command line arguments. If you need to specify arguments, define a Cmnd_Alias and reference that instead.
Default_Type ::= 'Defaults' |
                 'Defaults' '@' Host_List |
                 'Defaults' ':' User_List |
                 'Defaults' '!' Cmnd_List |
                 'Defaults' '>' Runas_List

Default_Entry ::= Default_Type Parameter_List

Parameter_List ::= Parameter |
                   Parameter ',' Parameter_List

Parameter ::= Parameter '=' Value |
              Parameter '+=' Value |
              Parameter '-=' Value |
              '!'* Parameter

Note that it does say you can affect "commands being run as a specific user", but doesn't mention commands being run by a specific user, so it might not be possible to constrain it only for your user. The examples in the manpage don't include anything for that.

Solution 2

You can use k option with sudo to reset the timestamp.

If sudo -k is used as a command, it would expire/invalidate the cached credentials immediately.

But if sudo -k is used with some command, for example, sudo -k rm /some/file, the shell would ask for password even if some credentials are already cached. In this case, the new credentials won't be cached. That means if another command with sudo is executed after that, it won't ask for password (if credentials were cached previously).

From sudo's manpage:

-k [command]

When used alone, the -k (kill) option to sudo invalidates the user's cached credentials. The next time sudo is run a password will be required. This option does not require a password and was added to allow a user to revoke sudo permissions from a .logout file. Not all security policies support credential caching.

When used in conjunction with a command or an option that may require a password, the -k option will cause sudo to ignore the user's cached credentials. As a result, sudo will prompt for a password (if one is required by the security policy) and will not update the user's cached credentials.

If you want to make sudo to ask for password for specific commands without using k every time, you can define custom functions in .bashrc. For example, from pa4080's comment:

sudo() { if [[ $@ =~ ^rm ]]; then /usr/bin/sudo -k "$@"; else /usr/bin/sudo "$@"; fi; }

Solution 3

You can set sudo to always ask for a password:


$ sudo cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults    env_reset, timestamp_timeout=120, pwfeedback
#Defaults   mail_badpass
Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

In my configuration I have sudo timeout set at 2 hours (120 minutes) before it asks for a password again. Setting it to 0 will require password every time you use sudo

Solution 4

`rm` wrapper script

Sometime ago I wrote a wrapper script for the rm command:

How can I set up a password for the 'rm' command?

Some of the notable features:

An encrypted password must be used each time rm is called unless it is being used within a batch job like sudo apt-get or sudo update-grub.
Ensure top level directories are never removed even if a relative path was passed.
Every time rm is used it is logged to journalctl and /var/log/syslog.

View more solutions

5,568

pa4080

I have a degree as a Mechanical Engineer and Doctor of Engineering Science as well. However, since I am self-educated at Computer Science and English language, please be tolerant at my mistakes and feel free to correct them when it is necessary. Actually my real name is Sраs Zdrаvkоv Sраsоv. In my birthplace Pacho is "short" for Spas. So the first two letters of my nickname - 'pa' - comes from there. Written in Bulgarian, the number '4' starts with the letter 'ч' that is pronounced as 'ch'. The number '0' looks like the letter 'o'. So we have 'pa40', and finally '80' is my birth year ;) This nickname originates from the time before ICQ and mIRC was modern. Create Digital Ocean account and get $100 in credit to use for 2 months just for signing up.

Updated on September 18, 2022

Comments

pa4080 over 1 year

Is there a way to force the sudo command to ask for a password each time when I'm using sudo rm /path/file?

I want to protect my self from stupid mistakes, committed due to low attention when I'm running some commands from the history.
chepner over 4 years

Why set it to 1 minute? The OP asks for no caching of credentials; set it to 0.
chepner over 4 years

But why so much emphasis on the values the user isn't asking about? Setting it to 0 seems like an afterthought, when it should be the entire answer.
WinEunuuchs2Unix over 4 years

@chepner I've revised answer. Thanks.
bac0n over 4 years

it is easy to circumvent by using full path to sudo so i think it gives a false sense of security.
bac0n over 4 years

ln -s /bin/rm rmdo; sudo ./rmdo <file>
sudo mcsudoface over 4 years

@bac0n I'm operating under the assumption that this is more to deter accidental gun-to-foot scenarios rather than to prevent deliberate attack. Otherwise one would be pretty dumb to allow arbitrary sudo commands for any account with shell access.
ymbirtt over 4 years

@bac0n, I agree that this is easy to circumvent, but I don't think this means that it gives a false sense of security. The use-case here is like a fire alarm with a cover over it; the cover isn't to stop malicious users from triggering the alarm, it's to stop an inattentive user from accidentally leaning against the button. The fact that it's easy to deliberately bypass is kind of the intention, not an exploit.
WinEunuuchs2Unix over 4 years

Great first time answer from a user account created just today! It's like my own answer below on steroids. Well done.
Kulfy over 4 years

How do I adopt this method when there isn't any specific executable binary, for eg. Shell in-built commands?
Eliah Kagan over 4 years

@Kulfy How would you run a shell builtin with sudo?
Kulfy over 4 years

@EliahKagan For example sudo alias? This might sound odd but I'm just curious.
Eliah Kagan over 4 years

@Kulfy sudo only runs external commands. sudo alias gives the error "sudo: alias: command not found" outside the unusual case that you also have an external command called alias. Some shells, like Bash, have some builtins that shadow external commands. If one tries to run them with sudo, one really runs the same-named external commands. For example, sudo kill, sudo printf, and sudo echo run external commands. See Why doesn't `sudo cd /var/named` work?, Why is there a /bin/echo and why would I want to use it?.
Kulfy over 4 years

@EliahKagan I see. Thanks for the information.