Adjust the sudo time-out behavior in OS X

If you use the sudo command often to make changes to your system, you can adjust when it requires you to enter your password.


As with many other Unix-like systems that have a BSD interface, OS X includes a fully Unix-compliant terminal that can be accessed with a Unix shell in the included Terminal utility. This feature allows for a relatively powerful way to access and modify system settings to customize and troubleshoot the system.

As with the rest of the system, this command-line interface is by default limited by standard permissions restrictions so only administrators may access system files and only users may access their own files. To get around this, the sudo command is commonly invoked to execute commands as another user, primarily the root user of the system.

When using this command, if you enter it once, then you will be prompted for a password; however, subsequent uses will not require a password, at least if you keep on using the sudo command. This happens because by default every use of sudo will create or update a time stamp file in the /var/db/sudo directory from which it will gauge a time-out period. If this period expires then sudo will require you supply another password before it updates the time stamp again.

This behavior is convenient when you are making multiple edits to the system; by default the time-out period is around 10-15 minutes so it can be used repeatedly within this timeframe without requiring you always supply your password.

While in most cases the default time-out period is acceptable, it does pose a potential security issue if you run a sudo command and then leave your system for a short period. Since the sudo command has a time-out, it will not require a password for the length of this time following the last use of the sudo command. While you can lock your system in various ways to prevent access during this time-out, another approach is to either use the sudo command itself to cancel or prevent this time-out, or configure it to have a custom time-out of choice.

Using sudo

The sudo command itself has a couple of convenient options that can be used to either prevent or turn off the time-out. The first is to use the "-k" flag along with sudo to prevent the time stamp file from being created in the first place.

sudo -k COMMAND

Because of this, the use of the -k flag (lowercase) is secure; however, it also can be a bit inconvenient, especially if the task at hand involves using multiple invocations of sudo. Therefore, you can use the standard sudo behavior without using "-k" and then when finished with your routine run sudo again with "-K" (upper-case or lower-case "k" without an accompanying command) to delete the sudo time stamp file and require any subsequent sudo sessions to require a password:

sudo -K
sudo -k

Adjusting the default time-out

Editing the sudo configuration file in OS X
When editing the sudo configuration file, add the changes to the end of this line so they look like the following (click for larger view). Screenshot by Topher Kessler/CNET

While the sudo flags are convenient, there may be times when you might forget to use these flags. Alternatively, you might wish to have the time-out be longer if you are not concerned about security and regularly find yourself needing to supply your password when running sudo commands. Therefore, you can change the default time-out for sudo to be shorter, longer, or even to disable it altogether and always require a password when running sudo.

To do this, you can specify a custom time-out by editing the sudo configuration file by opening the Terminal and then running the following procedure:

  1. Run the command "sudo visudo" to invoke the sudo configuration editor
  2. Press "i" to invoke "insertion mode" so you can make edits
  3. Use arrows to navigate to the section "# Defaults specification" which will have a number of lines that begin with "Defaults" below it.
  4. Change the line that states "Defaults     env_reset" to have ",timestamp_timeout=NUMBER" (with NUMBER being the number of minutes to time-out) appended to it, so it reads like the following (in this example the number is 2 minutes--if you always want sudo to require a password then set this value to 0):

    Defaults     env_reset,timestamp_timeout=2

  5. Press escape to exit insertion mode
  6. Press ":" followed by typing "w" and then press Enter to save
  7. Press ":" followed by typing "q" and then press Enter to quit

As always, before making any changes to system configuration files be sure to have a backup of your system (even though "visudo" will create an automatic backup of the sudoers file). To undo these changes, simply invoke the visudo editor again and remove these edits.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

Autoplay: ON Autoplay: OFF