The sudo system is an ingenious way to manage who can run administrative commands on a Linux system. And, for the most part, it’s pretty foolproof. But there are times, when I am busy multitasking or installing a new server software on a Linux box that sudo frustrates me. Why? Because of the default timeout.

By default, sudo will always prompt you for your password after five minutes of sudo inactivity. This is great if you step away from your machine for a bit and don’t want to worry that, after the five minutes of inactivity, someone comes along and could issue a sudo command without having to first input a password.

SEE: IT pro’s guide to working smarter with Linux (Tech Pro Research)

But sometimes I need that to function a bit differently. This is especially the case when I’m working on a machine only I have physical access to and would prefer the sudo timeout be a bit longer. Or, if a machine is in a high traffic area, I might want to change the default behavior such that sudo always asks for a password (no matter how much time has passed).

How do I do that? It’s actually quite simple. All you have to do is edit the sudoers file.

Visudo

In order to edit the sudoers file, there’s a tool you’ll want to know about. That tool is visudo. Why would you want to use visudo instead of just issuing the command sudo nano /etc/sudoers? Simple. Using visudo locks the sudoers file against simultaneous edits. In other words, if you have the sudoers file open in visudo, no one else can open the file in write mode.

On top of that, visudo also runs sanity checks and tests for parse errors — so you don’t have to worry that you’ve made a mistake in the sudoers file that’ll prevent you from using sudo. Without using visudo, you could leave an error in the sudoers file that would render you unable to do any administrative work.

Now that you know to never edit the sudoers file outside of visudo, let’s make the change.

Extending the timeout

Let’s say you have multiple users on this machine, and you want to extend the timeout, for one particular user, to thirty minutes. To do that, issue the command:

sudo visudo

In the file, you’ll want to add at the end:

Defaults:USER timestamp_timeout=30

where USER is the username in question.

Save and close the file. If you’re working with that user, I recommend you login via SSH and issue a sudo command (such as sudo apt-get update). Wait six or more minutes, and issue the command again. You shouldn’t be prompted for a sudo password. Wait thirty or more minute, and you should be prompted for that password.

Once you have verified that the user account is functioning properly, exit out of the SSH session, log out of the terminal window, and log back in. Your account should now not require the sudo password for 30 minutes.

Always ask for a password

If you want to change the behavior, such that it always asks for a password, the Defaults line would look like:

Defaults:USER timestamp_timeout=0

where USER is the user in question. Once this is complete, log out and log back in. Any time you issue a sudo command, the configured user will be prompted for their sudo password.

Easy Sudo timeout management

This is a great way of managing sudo password timeout. Just make sure you use this configuration option wisely. Don’t all of a sudden start changing all sudo timeouts to eight hours, as that is an invitation to disaster. Use wisely and this could make your daily Linux admin a bit more efficient, or your machines a bit more secure.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays