Is there a way to require a user to wait a certain time instead of asking for a password every time he wants to execute a command as root or access the root / or another user account?

  • Arthur Besse@lemmy.mlMEnglish
    13·
    1 年前

    sure. first, configure sudo to be passwordless, or perhaps just to stay unlocked for longer (it’s easy to find instructions for how to do that).

    then, put this in your ~/.bashrc:

    alias sudo='echo -n "are you sure? "; for i in $(seq 5); do echo -n "$((6 - $i)) "; sleep 1; done && echo && /usr/bin/sudo '

    Now “sudo” will give you a 5 second countdown (during which you can hit ctrl-c if you change your mind) before running whatever command you ask it to.

    • Flyswat@lemmy.ml
      8·
      1 年前

      In terms of security, an alias can be easily overridden by a user who can even choose yo use another shell which will not read .bashrc.

      So this solution cannot force/require the user to comply to the delay requirement.

      I was thinking maybe with a PAM module the delay can be achieved but I haven’t found one that readily does that. Maybe OP needs to implement one :)

      • Hawke@lemmy.world
        1·
        1 年前

        pam_faildelay almost does it, but it only delays on auth failure. You would want something that delays on success. Might be almost as simple as “if not” on a check on pam_faildelay.

      • alphadont@lemmy.caEnglish
        1·
        1 年前

        If an untrusted user is sitting at the console of a sudoer account, armed with its password, all is lost and any security has effectively been defeated already. While I do understand the concern it seems like something of a moot point.

  • mbirth 🇬🇧@lemmy.ml
    3·
    1 年前

    What purpose should this fulfil? If you are unsure whether your command is correct, double-check it before hitting the ENTER key.

  • Hawke@lemmy.world
    3·
    1 年前

    I can’t find anything that quite fits your requirements.

    Putting a NOPASSWD option on your sudo config should cover the removal of the password requirement, but this may be ill -advised; it is probably wiser to increase the timestamp_timeout duration.

    The intentional delay is tougher, and for that it looks like you’d need to write a PAM module. pam_faildelay is very close to what you need, you’d just need to make it produce a delay on success as well as failure.

  • terminal@lemmy.ml
    210·
    1 年前

    Do you mean the delay between when you need to re-enter the superuser password?

    I found this via an LLM:

    To change the delay before needing to re-enter your sudo password, follow these steps:

    1. Open the terminal and run:

      sudo visudo

    2. Locate the line:

      Defaults env_reset

    3. Add the following line below it:

      Defaults timestamp_timeout=<time-in-minutes>

      Replace <time-in-minutes> with the desired timeout in minutes (e.g., 30 for 30 minutes). Setting it to 0 requires a password every time, while a negative value disables the timeout entirely.