Open In App

Useful Sudoers Configuring sudo Command in Linux

Improve
Improve
Like Article
Like
Save
Share
Report

In operating systems such as Linux and Unix, the liberty to run all the commands lies in the hand of the root user. The root user can perform various tasks such as installation, updating the system, removal of certain packages, creating groups and users, modification of config files, etc.  The system administrator who has the role of the root user can grant other users the power to use all the other commands with the help of the sudo command. Apart from this, the system admin can also share the root password (not recommended) so that other users can access all the tasks with the su command.

Working on the sudo command

The Sudo command performs the below tasks and permits the users to access root user facilities:

  1. Reads the /etc/sudoers file and looks for the user who invoked the command.
  2. Then the user is prompted for a password, this can be skipped by using the NOPASSWD flag.
  3. A child process[setuid()] is then created, which switches the target to the user.
  4. All the commands which are given now will be executed in the child process.

The sudo files which can be modified using Default entries can be found in the  /etc/sudoers file. Use the below command to get a list of all the entries currently present.

sudo cat /etc/sudoers



Contents of sudoers file

cat /etc/sudoers

In this article we will be looking at 9 different sudo configurations and the Linux distro used will be Ubuntu.

Useful Sudoers Configurations for sudo

The configuration file will look something like this, after adding all the configurations.

Config file

Sudoers Configuration

Let us understand all the configurations listed above, step by step.

1. Setting a secure path

This path is used while running every command with sudo. It is used because of the following two reasons:

  1. To differentiate between the root and user paths. ( The users who are defined as the exempt_group remain unaffected by this setting)
  2.  When the System admin does not trust that the sudo users will have a reliable PATH variable.

Add the below line in the sudoers file to set this path:

Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"



Setting secure path

sudoers file

2. Enabling sudo on the TTY user login session

This line is added in the file so that sudo can be called from a real tty and not from cron or cgi-bin scripts:

Defaults requiretty   



3. Running sudo command using pty

Sometimes a malicious program can be run by attackers with the help of sudo, which is capable of forking the background process that remains on the terminal even after the main program is executed. This can be avoided by adding the below command which will run commands only with a pseudo-pty.

Defaults use_pty



4. Creating a sudo log file

To create a custom log file you can use the logfile parameter. Note that sudo uses Syslog(3) by default.

Defaults logfile="/var/log/sudo.log"



The hostname and four-digit year can also be logged in the custom log file, use the below command:

Defaults log_host, log_year, logfile="/var/log/sudo.log"



Creatinf sudo log file

Sudoers File

To see the custom sudo log file type the below command:

cat /var/log/sudo.log



Contents of sudo log file

Configure the Linux Sudoers File

5. sudo input/output command

With the help of log_input and log_output commands, the user can log all the input and output sent to the screen. By default, the input and output log directory is /var/log/sudo-io. The session sequence is also stored in this directory.  A custom directory can also be specified by using the iolog_dir parameter.

Defaults log_input, log_output



To view the logs use the below-given commands:

 # cd /var/log/sudo-io/
# ls
# cd 00/00/01 
# ls
# cat log



sudo input output

sudo input/output command

6. Lecture sudo users

This configuration is used to lecture the users whenever they type the wrong password. It has three values:

  1. always: This always lectures the user.
  2. once: This lectures the user only once when he first uses the sudo command. This is enabled when no value is specified.
  3. never: To never lecture the user.
Defaults lecture="always"



Lecture sudo users

lecture sudo user

7. Custom messages when the wrong password is typed

By default when the wrong password is typed, the message is “sorry, try again”. This can be modified by using the badpass_message parameter. Let us type the wrong password intentionally and see the result.

Defaults badpass_message="Welcome to GFG, enter the right password



 Custom messages when the wrong password is typed

message for wrong passsword

8. Setting the password limit

By default the maximum number of tries for passwords is 3, this can be increased or decreased using the below command:

Defaults passwd_tries=6



Setting the password limit

setting password Limit

It can be seen clearly that the number of tries is 6.

9. Enabling the insult function

In this configuration, an insulting message will be displayed on the screen whenever the user enters the wrong password. The badpass_message parameter will automatically be disabled when this is run.

Defaults insults



Let us see this work, I will intentionally type the wrong password and see the insults.

Enabling the insult function

installing Python3-pip

So these were the 9 sudo configurations that you can use and explore. Hope you liked the article.

Frequently Asked Question

1. How do I grant specific users sudo privileges in Linux?

To grant specific users sudo privileges in Linux, you need to edit the sudoers file. You can use the visudo command to safely edit this file. Add a line in the following format:

username   ALL=(ALL:ALL) specific_command

Replace “username” with the actual username, and “specific_command” with the command or set of commands the user is allowed to run with sudo.

2. What is the purpose of the NOPASSWD flag in sudo configurations?

The NOPASSWD flag in sudo configurations allows a user to execute commands with sudo without entering a password. This can be set in the sudoers file like this:

username   ALL=(ALL:ALL) NOPASSWD: specific_command

It’s important to use NOPASSWD judiciously, as it can pose a security risk, especially for critical commands.

3. Can you provide an example of setting a secure path in sudo configurations?

To set a secure path in sudo configurations, you can use the secure_path option. Edit the sudoers file and add or modify the line:

Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

This ensures that only the specified directories are used when searching for executables.

4. What are some best practices for securing sudo configurations on Ubuntu?

  • Regularly review and update sudoers file.
  • Use the principle of least privilege; grant the minimum necessary permissions.
  • Avoid using NOPASSWD unless absolutely necessary.
  • Enable requiretty to restrict sudo usage to real terminals.
  • Regularly monitor sudo logs for suspicious activities.
  • Use a secure_path to control the executable search path.
  • Limit the use of wildcards in sudoers file for better security.
  • Keep sudo and the system updated to patch security vulnerabilities.

5. Which file is used to configure sudo privileges?

The file used to configure sudo privileges is the sudoers file. This file is typically located at “/etc/sudoers” on Unix-like systems. It can be edited using the “visudo” command, which provides a safe way to modify the sudoers file to avoid syntax errors and potential configuration issues. The sudoers file defines the rules and permissions for users and groups to execute commands with elevated privileges using the sudo command.

Conclusion

In this article we discussed how to Configure the Linux Sudoers File, especially on Ubuntu, is crucial for effective user privilege management and system security. Exploring nine key sudo configurations provides insights into tailoring access controls. These configurations cover setting secure paths, enabling sudo on TTY user logins, securing against malicious programs, creating custom log files, logging input/output commands, implementing user lectures, customizing wrong password messages, setting password limits, and adding humor with insults. Understanding and implementing these configurations allows administrators to enhance system efficiency and security based on their specific needs.



Last Updated : 14 Dec, 2023
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads