3

I have a long running script which runs as normal user then then has sudo make install towards the end which (if I don't notice it finishes within 5 minutes) times out and fails.

In man sudoers it describes this option to change how long it waits:

passwd_timeout' Number of minutes before the sudo password prompt times out, or 0 for no timeout. The timeout may include a fractional component if minute granularity is insufficient, for example 2.5. The default is 5.

This works globally - for example setting timeout to 15 seconds

~ $ sudo grep passwd /etc/sudoers    
Defaults passwd_timeout=0.25
~ $ sudo -k                          
~ $ date && sudo date && date || date
Fri 17 Apr 2020 10:23:26 CEST
[sudo] password for hali: 
sudo: timed out reading password
Fri 17 Apr 2020 10:23:41 CEST
~ $

However I'd like to leave the default sudo password timeout as 5 minutes but be able to have this specific sudo in my script wait forever for a password. Is it possible to set an individual password timeout on the sudo command or is there some other way to make my script wait indefinitely for me to enter my password?

There is no mention of this password timeout setting in man sudo - the only timeout option is -T which is "Used to set a timeout for the command. If the timeout expires before the command has exited, the command will be terminated."

I'm not trying to enter my password via the script as in this question sudo with password in one command line? nor trying to change the length of time credentials are cached as in this one Change default sudo password timeout

This is my sudo version:

~ $ sudo -V
Sudo version 1.8.31p1
Sudoers policy plugin version 1.8.31p1
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.31p1
lx07
  • 2,748
  • 2
  • 17
  • 19
  • 1
    Why not simply put an interactive `read -p 'continue ? '` command just before the sudo, and so wait for a return before carrying on with the following sudo line. – meuh Apr 17 '20 at 15:23
  • @meuh - yes that would work if sudo doesn't have this option. I didn't think of it, thanks. – lx07 Apr 18 '20 at 10:23
  • That it an interesting question and in part deals with a problem I'm told is bad design practice (having sudo prompts in scripts, but I'm not convinced that letting the entire script run as root and change to a lower privileged user when necessary is less worse, it turns the principle of least privilege on its head). You can change defaults for individual users as stated in one of your links, how about a user configured to only run this script? How you configure that user is up to you, is the default Ansible approach good? I'm not sure. – LiveWireBT Mar 07 '21 at 11:41
  • Another option I researched in the past where I can't find the link to the respective SO FAQ is to let a function run in the background which updates the sudo timestamp. `prevent_sudo_timeout() { sudo -v; while true; do sudo -nv; sleep 1m; kill -0 $$ 2>/dev/null || exit; done & }` I have it in one of my scripts and it works. Formatted as a oneliner in a comment is a bad idea, I know. Let me know if you need help and if it is worth to write a more complete answer. – LiveWireBT Mar 07 '21 at 11:48

0 Answers0