7

I often need to run commands with sudo during development and since my password is lengthy I don't like to type it every time sudo times out which by default is 5 minutes.

To deal with that I've run sudo visudo and have set Defaults timestamp_timeout=15 (15 minutes)

However I'm still not happy with that and considering to increase it to at least 1h.

What are the security implications if any to increase it?

I also want to know whether the terminal could be injected by malicious process and execute commands in it as root while timeout has still not run out.
And of course I'm interested in any other issues that might arise from it.

Improve this question
5
  • Do you also have a screen lock? Commented Apr 12, 2024 at 15:12
  • Yes, screen lock timeout is lower than sudo timeout, why? Commented Apr 12, 2024 at 15:24
  • 2
    Because an attacker can only take advantage during the time the screen is unlocked. So what matters is MIN(screen lock timeout, sudo timeout). Commented Apr 12, 2024 at 15:35
  • 1
    What matters is the screen lock timeout. If an attacker sits on your unlocked computer, he can backdoor any command you run (su, sudo, the screensaver, the browser), or run a keylogger, or copy any file you have. The sudo timeout is irrelevant. Commented Apr 12, 2024 at 15:39
  • 3
    If there are a few commands you run routinely as part of your workflow, consider adding them to sudo's passwordless whitelist. Then you can run the trusted commands without a password at all. You may want to wrap the commands behind a script so that you can give your trusted "actions" a new "identity" for sudo (for example, a script called "rm-staging-dir", as opposed to giving yourself full root access to rm all the time) Commented Apr 12, 2024 at 17:13

3 Answers 3

Reset to default
9

I don't think increasing the timeout to 1h would change much the security. An attacker can backdoor sudo with one minute of access to your terminal, so 5 minutes or 60 are the same in my opinion.

With a larger timeout, an attacker could access the terminal and run commands as root. With a smaller timeout, he could put a fake sudo hidden somewhere, change your PATH variable to search on his hidden folder first, and wait until you run sudo later. This fake sudo would say "Invalid password" but send the password to the attacker, and remove the fake sudo. So you run again and now it works.

So no matter if you have a large or small timeout, if you have NOPASSWD or not, if an attacker manages to access your terminal, it's over.

Improve this answer
4
  • 7
    A good fake sudo would forward the typed password to real sudo, so that the user doesn't get the "Invalid password" clue. Commented Apr 12, 2024 at 8:13
  • @TobySpeight Cue the "It's criminal carreer advice!" jingle from the Security This Week podcast. Commented Apr 12, 2024 at 11:28
  • 2
    The time it takes to implement the backdoor is irrelevant. Even if it takes 15 minutes, you only have to do sudo -s to get yourself a root shell to use for all that time. The short timeout reduces the opportunity to do this, since they have to encounter the unattended computer shortly after leaving. Unless they're actively monitoring you and waiting for you to walk away, it's less likely. Commented Apr 12, 2024 at 15:11
  • Yep! An open unattended terminal is what will lead to compromise, and no timeout will be able to save you. Commented Apr 12, 2024 at 15:38
4

My impression of sudo is largely that it is to prevent the end user from doing something unfortunate to themselves. Like if you paste a one liner from the web and it starts asking for a password that is a red flag.

Personally, especially for desktop machines I will either do passwordless sudo or increase the timeout without reservation. It matches the security paradigm of certain other popular desktop OSs.

Also, in my opinion using the password excessively and unnecessarily exposes it to more potential for shoulder surfing or otherwise being stolen which might easily affect other accounts.

Improve this answer
1

The security implications depend from the environment you're working:

  • single office or something similar:
    If work alone, than nobody can access your computer. So changing the timeout to one hour won't change much.
  • shared office:
    If you work in a shared office, your co-workers or other kind of personnel could access your computer. If you increase the timeout there is also an increased risk that other people can use your computer with elevated privileges. So in that case you should think about additional measures (manually lock the screen when leaving, shorter screen locking time, etc.)

When thinking about the latter scenario an attacker can possibly inject malicious code and do all sorts of bad things.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.