Commands.page Logo

How to Set Expiration Date for Sudo Access in Ubuntu

Managing privileged access is vital for maintaining Ubuntu system security. This guide explains that while sudo lacks a native date expiration flag, you can limit access by expiring user accounts or scheduling group removal. We will cover the necessary commands to automate permission revocation and ensure elevated privileges are not held indefinitely.

Direct Sudo Expiration Limitations

Ubuntu does not provide a built-in configuration option within the sudoers file to set a specific calendar expiration date for sudo privileges. The sudo system is designed around authentication and activity timeouts rather than fixed end dates. To achieve date-based expiration, you must utilize user account management tools or schedule changes to group membership.

Method 1: Expire the User Account

The most effective way to stop sudo access on a specific date is to expire the user account itself. When an account expires, the user cannot authenticate, which prevents sudo usage. This method locks all access, not just sudo.

  1. Open a terminal.

  2. Use the chage command to set the expiration date:

    sudo chage -E 2024-12-31 username

    Replace 2024-12-31 with your target date and username with the actual user account.

  3. Verify the setting by running:

    sudo chage -l username

    Look for the “Account expires” line to confirm the date.

Method 2: Schedule Sudo Group Removal

If you want to revoke sudo privileges while keeping the user account active for non-administrative tasks, remove the user from the sudo group on a specific date. You can automate this using the at command.

  1. Ensure the at package is installed:

    sudo apt install at

  2. Schedule the removal command for a specific time and date:

    echo "sudo gpasswd -d username sudo" | sudo at 2024-12-31 23:59

    This command schedules the removal of username from the sudo group at the end of the specified day.

  3. View scheduled jobs to confirm:

    sudo atq

Method 3: Adjust Sudo Timestamp Timeout

While not a calendar expiration, you can reduce the time sudo remains active after authentication. By default, sudo remembers your password for 15 minutes. You can shorten this window in the sudoers file.

  1. Edit the sudoers file safely:

    sudo visudo

  2. Add or modify the timeout line:

    Defaults timestamp_timeout=5

    This sets the inactivity timeout to 5 minutes. After this period of inactivity, the user must re-enter their password to use sudo again.

Conclusion

You cannot set a native expiration date specifically for sudo commands, but you can control access duration effectively. Use chage to expire the entire account or schedule group removal with at to revoke sudo privileges specifically. Adjusting the timestamp timeout provides additional security for short-term inactivity.