[sudo-users] retrieving the remain time of a cached credential

Dennis Schwartz dennis.schwartz at protonmail.com
Tue Sep 17 10:27:42 MDT 2019


I was wondering if it is possible to get the time left before a cached
credential expires.

I understood that sudo stores the timeout information for credential
caching in the file `/var/run/sudo/ts/<user>`. While this file is not
readable by anyone except root, I was wondering if it is still possible
for a normal user to check if the user their credentials are cached or
not *without updating the timestamp file*.

After some searching on the Internet, I found two techniques to check
if a user has its credential cached:

 * `sudo -S </dev/null true 2>/dev/null; echo $?` [1]
   (doesn’t send a security email)
 * `sudo -n true 2>/dev/null; echo $?` [1,2]
   (sends a security email)

However, both these commands update the cached credential while I only
want to check whether a credential is cached or not.

The only workaround I have seen, is to prevent sudo from writing to the
timestamp file by temporarily setting `limit filesize 0`. (Which might
be considered a security issue since it prevents sending the email as

Is there a recommended way of achieving this?

Kind regards,


[1] https://askubuntu.com/questions/838850/
[2] https://unix.stackexchange.com/questions/412609/

More information about the sudo-users mailing list