19

sudo in Ubuntu keeps asking me for my password for every command. Previously, I only had to enter the password once, and then it would be remembered for a period of time. This recently changed, probably after "upgrading" to Natty.

I've done sudo visudo and set Defaults env_reset, timestamp_timeout = 60, tried rebooting, but it's still not working. How do I fix this?

After suggestions below, my /etc/sudoers looks like this:

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults:endolith timestamp_timeout=60

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

#includedir /etc/sudoers.d

Update:

I upgraded my VirtualBox and it started to suffer from the same problem. At a guess, I ran bash, and tried to sudo in that, and the password is remembered correctly. It's only when I use my default shell fish that it doesn't remember. It did in the previous Ubuntu release, but no longer.

Update:

I upgraded to 13.05 and this magically started working again. Now it asks for my password once, stops asking for a while, and then asks again after a period of time.

endolith
  • 7,507
  • 25
  • 84
  • 121
  • possible duplicate: http://superuser.com/questions/148665/linux-unix-how-to-enable-one-user-to-sudo-without-a-password – warren Jul 21 '11 at 21:05
  • 3
    @warren: That's not a duplicate. I should be required to enter the password, but after I have entered it once, I don't have to for a given amount of time. I have changed this amount of time with visudo in the past but it's not working anymore. – endolith Jul 21 '11 at 21:16
  • I think that you have to use multiple Defaults statements, rather than one common separated one. – Stephanie Jul 22 '11 at 04:25
  • @Stephanie, I am certain that having a single Defaults statement with comma separated values works fine. – Zoredache Jul 22 '11 at 06:16
  • i see you have added a line like `Defaults:endolith timestamp_timeout=60` , but you are not in any group called endolith, accordidng to another comment here. so what username are you using? Check with `whoami`, and add that username in place of `endolith` in `Defaults:endolith timestamp_timeout=60` or `endolith ALL=(ALL) NOPASSWD: ALL` – wim Jul 25 '11 at 12:07
  • @wim: yes, I'm in the right group, which I wrote as "username" – endolith Jul 25 '11 at 12:59
  • Group "username" is not mentioned in the file. Try adding `endolith ALL=(ALL) ALL` right under `root ALL=(ALL:ALL) ALL` – frabjous Aug 08 '11 at 04:53

4 Answers4

16

@endolith: Yes, it only seems to affect fish. I had the same problem, the issue is caused by the sudo option "tty_tickets". Disabling this on your /etc/sudoers file will solve the problem.

The following will disable tty_tickets:

Defaults        env_reset,!tty_tickets
Dave Lancea
  • 103
  • 3
Kadu
  • 356
  • 1
  • 3
  • Does this have any negative ramifications? – endolith Aug 10 '11 at 05:58
  • 1
    "Be careful if you offer SSH access to remote users, as you could unintentionally allow them to share elevated privileges with you if you disable tty_tickets." from http://ask.debian.net/questions/how-to-have-sudo-powers-shared-between-different-bash-sessions – endolith Aug 11 '11 at 14:13
  • I offer SSH access to a remote user, but it is only to myself, so I assume this does not cause any vulnerability? – endolith Aug 14 '11 at 22:55
5

If nothing else works, try sudo -i (by itself). That'll give you a root shell after one password.

Broam
  • 3,984
  • 18
  • 20
  • 6
    great point but slightly riskier than the request. – mbb Jun 15 '11 at 15:32
  • Considering this is the "Ubuntu way" for getting a rootshell, I figured it was a neat work around the problem. Every command is still logged. – Broam Jun 22 '11 at 16:18
  • 1
    It doesn't really fix the problem though, it is basically just a way to ignore it. – Zoredache Jul 24 '11 at 09:31
  • This is a workaround rather than a solution, but it's good and I don't mind if it automatically gives you half the bounty. :) – endolith Jul 26 '11 at 15:38
1

I only had to enter the password once, and then it would be remembered for a period of time.

If I where to guess, I would bet that something about your /var/run/sudo directory is screwed up. This directory is where the timestamp files are stored. Maybe /var/run is full, maybe the permissions got screwed up. Anyway, look at that directory, I suspect your problem may be there.

The permissions on my folder look like this.

# find /var/run/sudo/ -ls
1164242    4 drwx------   6 root     root         4096 Jan  1  1985 /var/run/sudo/
1179694    4 drwx------   2 root     www-data     4096 Jan  1  1985 /var/run/sudo/www-data
1164286    4 drwx------   2 root     myuser      4096 Jul 21 23:03 /var/run/sudo/myuser
1163399    0 -rw-------   1 root     myuser         0 Jul 13 22:42 /var/run/sudo/myuser/0
1163453    0 -rw-------   1 root     myuser         0 Jul 21 22:59 /var/run/sudo/myuser/2
1164309    0 -rw-------   1 root     myuser         0 Jul 21 23:03 /var/run/sudo/myuser/6
1163303    0 -rw-------   1 root     myuser         0 Jul 13 22:31 /var/run/sudo/myuser/5

For good measure you might also want to try running sudo -K to kill your current timestamp files.

Zoredache
  • 19,828
  • 8
  • 50
  • 72
  • `find: '/var/run/sudo': No such file or directory` – endolith Jul 25 '11 at 00:45
  • Well that is a bad sign, why not try creating it, and set the ownership/permissions like above. – Zoredache Jul 25 '11 at 01:52
  • Or you could just reinstall the package. – Zoredache Jul 25 '11 at 02:04
  • reinstalled sudo with synaptic and it still says that – endolith Jul 25 '11 at 05:40
  • I get the same thing on a VirtualBox running Ubuntu 10.10. there is no `sudo` folder in `/var/run`. In this virtual machine, it remembers my password as expected, so this doesn't seem relevant. The only thing in visudo on this virtual machine is `Defaults env_reset`. It also says `%sudo ALL=(ALL) ALL` instead of `%sudo ALL=(ALL:ALL) ALL`. – endolith Jul 26 '11 at 15:42
0

I would check the /etc/sudoers.d/ directory.

You can also try to downgrade the sudo package to the previous version.

Michał Šrajer
  • 2,855
  • 1
  • 20
  • 14