How can I force sudo to always ask for a password after waking from suspend?

From man sudo:

     -K, --remove-timestamp
                 Similar to the -k option, except that it removes the user's
                 cached credentials entirely and may not be used in conjunc‐
                 tion with a command or other option.  This option does not
                 require a password.  Not all security policies support cre‐
                 dential caching.

So what you want is your user to run sudo -K each time the system suspends.

Ubuntu 15.04+ (systemd)

This can be done on Ubuntu 15.04+ by placing a script in /lib/systemd/system-sleep/.

  1. Run sudo nano /lib/systemd/system-sleep/disable_sudo_user (replace user with your user's username for convenience);
  2. Paste in the following script (replace user with your user's username):
#!/bin/sh
case $1/$2 in
    pre/suspend)
        su user -c 'sudo -K'
        ;;
esac

  1. Hit CTRL+O, ENTER and CTRL+X;

  2. Run sudo chmod o+x /lib/systemd/system-sleep/disable_sudo_user;

To enable this also for hibernation / hybrid-sleep, use this script instead:

#!/bin/sh
case $1 in
    pre)
        su user -c 'sudo -K'
        ;;
esac

Previous Ubuntu versions (Upstart)

This can be done on previous Ubuntu versions by placing a script in /etc/pm/sleep.d/.

  1. Run sudo nano /etc/pm/sleep.d/disable_sudo_user (replace user with your user's username for convenience);
  2. Paste in the following script (replace user with your user's username):
#!/bin/sh
case $1 in
    suspend)
        su user -c 'sudo -K'
        ;;
esac

  1. Hit CTRL+O, ENTER and CTRL+X;

  2. Run sudo chmod o+x /etc/pm/sleep.d/disable_sudo_user;

To enable this also for hibernation, use this script instead:

#!/bin/sh
case $1 in
    suspend|hybernate)
        su user -c 'sudo -K'
        ;;
esac

Only if you are that paranoid! You can use the -K option of sudo.

-K, --reset-timestamp
       When used without a command, invalidates the user's cached credentials.  
       In other words, the next time sudo is run a password will be required.  
       This option does not require a password and was added to allow a user to revoke
       sudo permissions from a .logout file.

       When used in conjunction with a command or an option that may require a 
       password, this option will cause sudo to ignore the user's cached credentials.  
       As a result, sudo will prompt for a password (if one is required by the 
       security policy) and will not update the user's cached credentials.

       Not all security policies support credential caching.

for example,

sudo -K <command>

Or you could just leave your computer in a metal box guarded by robots :)

Tags:

Security

Command Line

Sudo

Suspend

Password

Recent Posts