75

I already know that I need to tune /etc/sudoers file but I would like to see full information and also a solution that would not require me to use vi editor.

Update: never, ever try to edit the file with something else than visudo.

sorin
  • 29,875

4 Answers4

106

Run sudo visudo and add this line:

Defaults    timestamp_timeout=-1

See man 5 sudoers. -1 causes the password to never timeout. You may change the number to whatever you like in minutes.

The man page for sudo says that sudo -v "extends the sudo timeout for another 5 minutes".

Running 'sudo visudo' instead of editing the file directly causes the system to validate the sudoers file before it commits the changes. For instance, if you leave a stray character somwhere, when you save and exit, it will say "there is an error in the sudoers file, what would you like to do?" ... hence giving you a chance to go back in and edit. This actually just happened to me 10 minutes ago.

nohillside
  • 100,768
lhf
  • 7,278
  • You actually can use any editor you like to edit the file. – Harv Mar 13 '11 at 09:37
  • You are right, I don't know why it is documented the you have to use visudo, it is not true, for me sudo mcedit /etc/sudoers worked just fine. – sorin Mar 16 '11 at 16:47
  • 23
    Yes, but visudo runs some basic sanity checks on the sudoers file before saving. If you mess up the file by using vi directly you may lock yourself out from using sudo making it very difficult to undo the change. – nohillside Apr 14 '12 at 17:29
  • @patrix really? Can't just reboot into single-user mode and pico or vi it? – Harv Jun 11 '12 at 00:37
  • Yes you can. But that's quite cumbersome to do (especially if you are not used to do it regularly) – nohillside Jun 11 '12 at 05:37
  • 5
    The privileges are like that on other systems, so nothing to do with Apple. visudo wraps around the system default editor (I would guess the root user default if the root has overridden the default), so has nothing to do with vi bar the name. On my system (not apple btw) I get nano. Try export EDITOR='/bin/nano' or whatever editor you like then use visudo. – Chris May 20 '12 at 10:27
  • If I make a mistake I use root to correct it. No need for single user mode... – hplbsh Oct 26 '13 at 00:18
  • 4
    Um... You can't use root to correct it, because you can't get to root, because you've just stuffed up your sudo file... That's the whole point. – daviewales Mar 21 '14 at 15:08
  • 2
    In a professional role you may have access to sudo but not have the root password. Your server may be in a datacenter across the country making it hard to access single user mode. But, if you were said professional, you probably wouldn't have the be given such warnings. The point is that you should learn from professionals. Don't look for ways to avoid forming good habits. Then we have to hear your frantic cries on Stack Exchange and IRC. – Bruno Bronosky Nov 29 '16 at 19:56
  • 3
    (Maybe it's obvious to everyone, but adding): timestamp_timeout is in minutes, may include a fractional component. – user Sep 17 '17 at 12:42
  • You can have both: visudo can be configured to use editors other than vi. – outis Nov 09 '18 at 21:35
3

Be really careful about modifying /etc/sudoers directly!

For instance, I tried the above suggestion directly:

sudo sh -c 'echo "\nDefaults timestamp_timeout=-1">>/etc/sudoers'

which messed up my /etc/sudoers file (on a CentOS Virtualbox VM). Should have been:

sudo sh -c 'echo -e "\nDefaults timestamp_timeout=-1">>/etc/sudoers'

Fortunately, I had access to the root account, logged in as root, used visudo and repaired the problem! So, I agree w/ the above comments to use visudo instead.

Monomeeth
  • 64,558
user304227
  • 31
1

All information for sudoers can be found from the terminal with the command

man sudoers

You can even user simple text to edit files, however the privs make that difficult. sudoers is -r--r----- (Octal 0440)

This indicates that Apple really doesn't want you messing with the file. This really is the core security of the OS.

Options for editing are vi, emacs, or my personal favourite BBEdit.

Andrei Freeman
  • 313
  • 1
  • 12
  • 6
    There is a reason those privileges are set. They are set in an attempt to force you to use visudo rather than editing the file yourself. Also, this has nothing to do with OS X. It's standard *nix. Also, if you want to use a non-default editor, just set the $EDITOR environment variable before calling visudo. e.g. EDITOR=nano sudo visudo. – daviewales Mar 21 '14 at 15:13
0

Disable sudo timeout with this command:

sudo sh -c 'echo "\nDefaults timestamp_timeout=-1">>/etc/sudoers'

To re-enable sudo timeout with this method:

sudo sed -i "/Defaults timestamp_timeout=-1/d" /etc/sudoers
patpat
  • 35
  • 13
    From the sudoers man page: The sudoers file should always be edited by the visudo command which locks the file and does grammatical checking. It is imperative that sudoers be free of syntax errors since sudo will not run with a syntactically incorrect sudoers file. – Matteo May 28 '14 at 05:53
  • @Matteo Well you can do anything you like on your own property provided you are aware of the consequences. In some situations this is OK, for example I use it on fresh mac builds which have no valuable data on them as part of an automation script. I've suggested an edit to this answer to provide a warning. Ideally sudo should have a one-liner way to change this without having to edit a file! – samthebest Jul 03 '17 at 10:06
  • 3
    Beware, this is dangerous advice. Use visudo instead. – Will Sheppard Jan 15 '18 at 15:51