Sudo Options: Timestamp, Listing Privileges, and Non-Interactive Mode

require a password. Not all security policies support credential caching. -k, -‐reset‐timestamp When used without a command, invalidates the user’s cached cre‐ dentials for the current session. The next time sudo is run in the session, a password must be entered if the security policy requires authentication. By default, the sudoers policy uses a separate record in the credential cache for each terminal (or parent process ID if no terminal is present). This prevents the -k option from interfering with sudo commands run in a different terminal session. See the timestamp_type option in sudoers(5) for more information. This option does not require a password, and was added to allow a user to revoke sudo permissions from a .logout file. When used in conjunction with a command or an option that may require a password, this option will cause sudo to ignore the user’s cached credentials. As a result, sudo will prompt for a password (if one is required by the security policy) and will not update the user’s cached credentials. Not all security policies support credential caching. -l, -‐list If no command is specified, list the privileges for the invoking user (or the user specified by the -U option) on the current host. A longer list format is used if this option is specified multiple times and the security policy supports a verbose output format. If a command is specified and is permitted by the security pol‐ icy, the fully‐qualified path to the command is displayed along with any args. If a command is specified but not allowed by the policy, sudo will exit with a status value of 1. -N, -‐no‐update Do not update the user’s cached credentials, even if the user successfully authenticates. Unlike the -k flag, existing cached credentials are used if they are valid. To detect when the user’s cached credentials are valid (or when no authentication is required), the following can be used: sudo ‐Nnv Not all security policies support credential caching. -n, -‐non‐interactive Avoid prompting the user for input of any kind. If a password is required for the command to run, sudo will display an error message and exit. -P, -‐preserve‐groups Preserve the invoking user’s group vector unaltered. By de‐ fault, the sudoers policy will initialize the group vector to the list of groups the target user is a member of. The real and effective group‐IDs, however, are still set to match the target user. -p prompt, -‐prompt=prompt Use a custom password prompt with optional escape sequences. The following percent (‘%’) escape sequences are supported by the sudoers policy: %H expanded to the host name including the domain name (only if the machine’s host name is fully qualified or the fqdn op‐ tion is set in sudoers(5)) %h expanded to the local host name without the domain name %p expanded to the name of the user whose password is being re‐ quested (respects the rootpw, targetpw, and runaspw flags in sudoers(5)) %U expanded to the login name of the user the command will be run as (defaults to root unless the

This section details more `sudo` command options. `-k` (reset-timestamp), when used with a command, forces a password prompt and prevents updating cached credentials. `-l` (list) displays user privileges, either for the current user or one specified with `-U`. Specifying `-l` multiple times provides a more verbose output. `-N` (no-update) prevents updating cached credentials, even with successful authentication; `-n` (non-interactive) prevents prompting for any user input, exiting if a password is required. `-P` (preserve-groups) preserves the invoking user's group vector, while by default sudo initializes it to the target user's groups. `-p prompt` allows customizing the password prompt with escape sequences such as %H (hostname with domain), %h (hostname without domain), %p (name of user whose password is requested), and %U (login name of the user the command will be run as).