[sudo-users] Comparing -k and -K
Todd C. Miller
Todd.Miller at millert.dev
Tue Dec 27 15:35:18 MST 2022
On Tue, 27 Dec 2022 16:33:11 -0500, Jason Franklin wrote:
> In my ~/.bash_logout file, I would like to do something similar to:
>
> if [[ -x /usr/bin/sudo ]]; then
> /usr/bin/sudo -k
> fi
>
> The documentation above suggests that "-k" was added to support revoking
> "sudo" permissions in a ~/.logout file or similar.
That is correct.
> However, from reading, it seams that "-K" may be better for this purpose
> since it removes the cached credentials entirely. Is this correct?
>
> If I want to revoke permissions in my ~/.bash_logout file, which one of
> these options is recommended?
>
> Is "-K" better/stronger than "-k"?
It depends what you want to achieve. The cached credential file
generally holds multiple credentials. For example, there is a
seperate entry for each terminal the user logged in to. Running
"sudo -k" will invalidate the credentials for the current terminal
session but will not affect other sessions. Running "sudo -K" will
remove the entire credential file so it affects all sessions.
- todd
More information about the sudo-users
mailing list