Cache Timestamp File


New Member
Sep 24, 2019
Reaction score
I'm enrolled in university and we are currently learning about the command line for cyber security aspects. There is a question that states the following:

"What is the full path of the cache timestamp file?"

To my limited understanding, I thought this would be the sudoers section so I submitted my answer of "/etc/sudoers" but that is incorrect.

Is there something I've missed along the way here? Does it create a completely different file?

Which cache are you talking about?

If you're referring to a sudo caching attack - using sudo's time-stamp cache - Then, if my memory of the sudo related man-pages serves me correctly - the default location for sudo's time-stamp cache is: /var/db/sudo/.

That directory should contain two sub-directories - lectured and ts.
lectured contains files named after users who have used sudo at least once and have seen the initial warning-message/lecture from sudo. The ts directory contains the actual time-stamps for each user of sudo.
So the full path to the time-stamps would be /var/db/sudo/ts/

However - that is the default location. In practice - sudo's timestamp files are probably not in /var/db/sudo/. They are almost certainly elsewhere. So the exact location could vary from distro to distro.

So the correct answer will depend on what the University are looking for.

If they want the default location - the answer should either be /var/db/sudo/, or /var/db/sudo/ts/. Otherwise - it will depend on the distro that is being targetted.
Last edited:
Its /run/sudo/ts/<username>. I think I know where you are trying to get at so you need to know what user they are referring to in the question: try the "cat /etc/passwd | cut -d: -f1" and see what user the question wants you to add.

Members online