Is there a way to require a user to wait a certain time instead of asking for a password every time he wants to execute a command as root or access the root / or another user account?

  • Arthur BesseMEnglish
    172 months ago

    sure. first, configure sudo to be passwordless, or perhaps just to stay unlocked for longer (it’s easy to find instructions for how to do that).

    then, put this in your ~/.bashrc:

    alias sudo='echo -n "are you sure? "; for i in $(seq 5); do echo -n "$((6 - $i)) "; sleep 1; done && echo && /usr/bin/sudo '

    Now “sudo” will give you a 5 second countdown (during which you can hit ctrl-c if you change your mind) before running whatever command you ask it to.

    • Flyswat
      112 months ago

      In terms of security, an alias can be easily overridden by a user who can even choose yo use another shell which will not read .bashrc.

      So this solution cannot force/require the user to comply to the delay requirement.

      I was thinking maybe with a PAM module the delay can be achieved but I haven’t found one that readily does that. Maybe OP needs to implement one :)

      • @Hawke@lemmy.world
        12 months ago

        pam_faildelay almost does it, but it only delays on auth failure. You would want something that delays on success. Might be almost as simple as “if not” on a check on pam_faildelay.

      • @alphadont@lemmy.caEnglish
        12 months ago

        If an untrusted user is sitting at the console of a sudoer account, armed with its password, all is lost and any security has effectively been defeated already. While I do understand the concern it seems like something of a moot point.

  • @mbirth@lemmy.ml
    72 months ago

    What purpose should this fulfil? If you are unsure whether your command is correct, double-check it before hitting the ENTER key.

  • @Hawke@lemmy.world
    42 months ago

    I can’t find anything that quite fits your requirements.

    Putting a NOPASSWD option on your sudo config should cover the removal of the password requirement, but this may be ill-advised; it is probably wiser to increase the timestamp_timeout duration.

    The intentional delay is tougher, and for that it looks like you’d need to write a PAM module. pam_faildelay is very close to what you need, you’d just need to make it produce a delay on success as well as failure.

  • @terminal@lemmy.ml
    -162 months ago

    Do you mean the delay between when you need to re-enter the superuser password?

    I found this via an LLM:

    To change the delay before needing to re-enter your sudo password, follow these steps:

    1. Open the terminal and run:

      sudo visudo

    2. Locate the line:

      Defaults env_reset

    3. Add the following line below it:

      Defaults timestamp_timeout=<time-in-minutes>

      Replace <time-in-minutes> with the desired timeout in minutes (e.g., 30 for 30 minutes). Setting it to 0 requires a password every time, while a negative value disables the timeout entirely.

    • @Mazesecle@lemm.eeEnglish
      172 months ago

      I’m curious, why do people make these comments? If the op wanted an answer from an LLM, they would have asked an LLM…

      • navordar
        22 months ago

        A modern equivalent of let me google that for you, but a more obnoxious one