Sudo remembers your password (your authentication) for some time so you do not have to enter the password for multiple commands in quick succession.
The duration is controlled by the timestamp_timeout
statement in the /etc/sudoers
file. Read man sudoers
for more information.
More interessting is the question how your authentication is remembered. Everytime you use sudo, sudo will create a file in the directory /var/run/sudo/username
(Ubuntu 10.04). The filename is taken from your current terminal (or tty). That means sudo remembers your authentication on a per terminal basis. If you switch to another terminal, sudo will not remember that you just used sudo on the previous terminal.
Demonstration:
Use sudo:
$ sudo echo foo
[sudo] password for lesmana:
foo
See file created in /var/run/sudo/username
:
$ sudo ls -l /var/run/sudo/lesmana
total 0
-rw------- 1 root lesmana 0 2011-04-25 16:56 1
Note that this sudo did not ask for password. The file is named 1
because I ran the sudo command from tty (or pts) number 1. use the tty
command to see your tty name.
$ tty
/dev/pts/1
Now switch to another terminal:
$ tty
/dev/pts/2
Use sudo in this terminal.
$ sudo echo bar
[sudo] password for lesmana:
bar
Note that it asks for a password.
See file created in /var/run/sudo/username
:
$ sudo ls -l /var/run/sudo/lesmana
total 0
-rw------- 1 root lesmana 0 2011-04-25 16:56 1
-rw------- 1 root lesmana 0 2011-04-25 16:57 2 # <-- new
Now switch to a virtual console.
$ tty
/dev/tty/1
Use sudo:
$ sudo echo baz
[sudo] password for lesmana:
baz
See file created in /var/run/sudo/username
:
$ sudo ls -l /var/run/sudo/lesmana
total 0
-rw------- 1 root lesmana 0 2011-04-25 16:56 1
-rw------- 1 root lesmana 0 2011-04-25 16:57 2
-rw------- 1 root lesmana 0 2011-04-25 16:58 tty1 # <-- new
Now let's try that using your shell script. I used the same robot script as in the question text.
$ ./robot
apple
banana
No password prompt because I used the first terminal in which sudo still remembers my password.
See the file updated in /var/run/sudo/username
:
$ sudo ls -l /var/run/sudo/lesmana
total 0
-rw------- 1 root lesmana 0 2011-04-25 17:01 1 # <-- timestamp update
-rw------- 1 root lesmana 0 2011-04-25 16:57 2
-rw------- 1 root lesmana 0 2011-04-25 16:58 tty1
Now let's try the script with redirection:
$ ./robot > foo
[sudo] password for lesmana:
Note that sudo asked for password.
Check /var/run/sudo/username
:
$ sudo ls -l /var/run/sudo/lesmana
total 0
-rw------- 1 root lesmana 0 2011-04-25 17:01 1
-rw------- 1 root lesmana 0 2011-04-25 16:57 2
-rw------- 1 root lesmana 0 2011-04-25 16:58 tty1
-rw------- 1 root lesmana 0 2011-04-25 17:02 unknown # <-- new
See that unknown
file. For whatever reason sudo is no longer able to determine the terminal when executed in a script with redirected streams. That is why sudo asks you for your password.
Note that on your system sudo asked for password only after redirecting both stdout and stderr. On my system (ubuntu 10.04) sudo asked for password when I redirected stdout. I have no idea why there is this difference.
Note also that you can make sudo forget your authentication immediately with the command sudo -k
. This will only forget the authentication for the terminal where the command was issued.