Optimizing Sudo Performance: Troubleshooting Slow Command Execution in Fedora Linux


3 views

After configuring NOPASSWD in my Fedora 11 system's /etc/sudoers file, I noticed a peculiar 10-second delay before any sudo command would execute. This latency occurs despite having proper permissions:

username ALL=(ALL) NOPASSWD:ALL

Modern Linux systems often perform DNS lookups during sudo execution. Try adding this to your /etc/sudoers:

Defaults !fqdn
Defaults !dns

This prevents sudo from attempting to resolve hostnames, which can cause delays if your DNS server is slow or unreachable.

The Pluggable Authentication Modules (PAM) stack might be causing the delay. Check your PAM configuration:

cat /etc/pam.d/sudo

Look for unnecessary authentication modules or time-consuming checks. You might need to modify or comment out certain lines.

Sudo performs various system checks that might cause delays. Try these experimental settings in /etc/sudoers:

Defaults !lecture
Defaults !requiretty
Defaults !tty_tickets

If your system uses LDAP or SSSD for authentication, try adding:

Defaults !use_netgroups

This prevents sudo from checking network groups, which can introduce latency.

To identify the exact cause, run sudo in debug mode:

sudo -D 1 [your_command]

This will output detailed information about what sudo is doing during the delay period.

If all else fails, consider these workarounds:

# Preload the sudo environment
sudo -v

# Or use a bash alias for frequently used commands
alias mysudo='sudo -n'

After configuring NOPASSWD in /etc/sudoers:

MyUserName ALL=(ALL) NOPASSWD:ALL

Many users report an unexpected 10-second delay despite password-less authentication. Let's analyze the technical roots and solutions.

Sudo performs reverse DNS lookups by default to:

  • Verify hostname consistency
  • Log accurate source information
  • Support host-based sudo rules

Check if DNS resolution is slow with:

time host $(hostname)

Example output showing delay:

real    0m9.873s
user    0m0.003s
sys     0m0.002s

Edit /etc/sudoers (always use visudo):

# Disable DNS lookups
Defaults !fqdn
Defaults !dns

# Alternative: Set timeout
Defaults timestamp_timeout=5

For systems with static hostnames:

# Add to /etc/hosts
127.0.1.1 yourhostname

If using enterprise authentication:

# Check PAM stack
sudo grep -i pam /etc/nsswitch.conf

# Verify LDAP config
sudo authconfig --test | grep -i ldap

Compare before/after changes:

# Baseline measurement
time sudo -k
time sudo -n true

# Post-fix verification
time sudo -n true
  1. Check system logs: journalctl -u sudo
  2. Test DNS resolution time
  3. Verify NSSwitch configuration
  4. Inspect PAM modules
  5. Profile with strace: strace -T sudo -n true

For extreme cases, build with optimizations:

./configure --with-ldap=no --with-selinux=no \
            --with-pam=no --disable-shared
make -j$(nproc)
sudo make install