[sudo-users] Comparing -k and -K
Jason Franklin
jason at oneway.dev
Tue Dec 27 14:33:11 MST 2022
Greetings:
In sudo(8), I find the following descriptions of the "-k" and "-K"
options...
> -K, --remove-timestamp
> Similar to the -k option, except that it removes the user's cached
> credentials entirely and may not be used in conjunction with
> a command or other option. This option does not require a password.
> Not all security policies support credential caching.
>
> -k, --reset-timestamp
> When used without a command, invalidates the user's cached
> credentials. In other words, the next time sudo is run a password
> will be required. This option does not require a password, and was
> added to allow a user to revoke sudo permissions from a .logout
> file.
> ...
In my ~/.bash_logout file, I would like to do something similar to:
if [[ -x /usr/bin/sudo ]]; then
/usr/bin/sudo -k
fi
The documentation above suggests that "-k" was added to support revoking
"sudo" permissions in a ~/.logout file or similar.
However, from reading, it seams that "-K" may be better for this purpose
since it removes the cached credentials entirely. Is this correct?
If I want to revoke permissions in my ~/.bash_logout file, which one of
these options is recommended?
Is "-K" better/stronger than "-k"?
Many thanks,
--
Jason Franklin
More information about the sudo-users
mailing list