Advanced password manipulation in sudo
Special Privileges
Sudo provides the building blocks to secure your system exactly the way you want it.
If you know sudo, you probably know it from Ubuntu, in which you enter your password in return for temporary root privileges. However, Ubuntu's setup is only one of many for sudo. By editing /etc/sudoers
, you can configure sudo's password requirements and other features to secure your system in exactly the way you prefer.
Sudo exists for the purposes of minimizing your exposure when you are root user. Because the root account gives full access to your files, your system is at its most vulnerable when you are root. Consequently, you want to minimize your time as root and perhaps even make the root password hard to find.
The sudoers file takes a lot of options, and a careless choice could lock you out of the root account altogether. To avoid this possibility, always edit /etc/sudoers
with the visudo
command. Visudo creates a temporary copy of sudoers to edit, then checks it for errors. If any errors are found, visudo gives their approximate location by line and gives you three options: to re-open the editor to correct the errors (e); to exit, discarding your edits (X); or to quit (Q) and save the temporary file to the permanent sudoers file. This last option is something that you obviously should not do unless you are very confident that you know better than visudo, because you could prevent sudoers from working at all. Some compilations of visudo, such as Ubuntu's, list the possible choices, whereas others, such as openSUSE's, do not.
Understanding /etc/sudoers
The sudoers file begins with a warning to edit only with visudo. Below it are three main sections.
The usual first section is a list of aliases (Figure 1) with subsections for hosts (host names, IP addresses, network numbers, or netgroups), users (account names, UIDs, groups, or netgroups), run as (account names, UIDs, groups, or netgroups), and commands (sets of related commands, usually with full pathnames). Generally, the aliases are placed first, because they save typing in other sections and can be used to limit user privileges. They are traditionally capitalized to distinguish them from system groups listed in /etc/groups
, which are lowercase.
Regardless of the type of alias, their structure is:
[ALIAS_TYPE] = [ITEM 1], ITEM 2
For example, if you wanted users bb and tk both to use sudo with the same privileges, instead of defining their privileges separately, you could create the alias:
User_Alias ADMIN = bb,tk
Then, when you set up user privileges, you could define privileges for ADMIN, instead of for bb and tk separately. In a similar way, you could define a list of terminals on a network from which a sudo user can log in, or a sub-set of commands, such as apt-get
and dpkg
, that can be used to limit which root privileges a user logged in to sudo can run.
Typically, the alias section is followed by one labeled in the comments as User privilege specification (Figure 2). This is the section where most of what a user can do is defined. A basic entry uses the structure:
[USER or ALIAS] [TERMINALS]=[USER RUN AS] [TAGS:] [PERMISSIBLE COMMANDS]
For example, the basic entry for the root user with all privileges is:
root ALL=(ALL) ALL
For other users, you can also specify members of a group listed in /etc/group
. For example, in Ubuntu, privileges are defined for members of the groups admin and sudo and only need to be uncommented to become functional. Notice that groups listed in /etc/group
are generally in lowercase, whereas aliases defined in sudoers are uppercase, so they can be easily distinguished. A more restricted user privilege specification might be
bb ALL=passwd, chown, chgrp, chmod
which would give user bb the ability to change passwords and permissions from all terminals on the system, while running as root. Alternatively, you might create a command alias called PERMISSIONS that included all four commands:
bb ALL=(ROOT) PERMISSIONS
The third section of sudoers is usually labeled something like Default specification (Figure 3). Sometimes placed at the top of the file, it consists of one specification per line that changes sudoers' default behavior, either in general or for one user or user alias. For example, if you want sudo to insult users when they fail to log in successfully – presumably as a joke or as a way of reinforcing greater caution – the default specifications section might include the line:
Defaults insults
All entries in sudoers can be turned off by commenting them out. Entries also accept wildcards, such as * for any number of characters or ? for any single character. However, before using wildcards, consider whether they give more permissions than you intended.
Password Options
The most important options for customizing sudoers involves passwords. Before choosing any of them, you need to think carefully about what combination of convenience and security you want.
When a user is listed under specifications or included in a sudoer alias or system group, that user needs only to enter their own password to run as root. This setup is the default option for the user created during installation of Ubuntu. It has the convenience of not requiring that you memorize another password, but it also means that, if your normal account is cracked, then the intruder can easily run root commands. For this reason, you might want to consider other alternatives.
Many of these alternatives will require a separate root password, which Ubuntu deliberately hides. For this reason, before implementing an alternative, you might need to change to a root password of your own choosing by running the command sudo password
(Figure 4). This modification will give you more options, while leaving sudo running just as before.
The sudoers file includes a tag to run root commands without any password. This tag is placed before the list of commands:
bb ALL=(ALL) NOPASSWD:ALL
No doubt NOPASSWD
has a role on test machines, but on the average workstation or network, it is even less desirable than Ubuntu's default, because it makes system penetration easy. By contrast, PASSWD:
requires a password for all the commands that follow it, which may seem overstrict.
Other password options can be added as default specifications. For example, the line Defaults runpw
requires users to give the root password instead of their own. By default, so will Defaults runaspw
. However, if runaspw
is followed by another user's name, that user's password must be entered instead.
In the same way, Defaults targetpw
also defaults to requiring the root password. However, just as with runaspw
, targetpw
can be used with an account that is used only with sudo. Sudoers can then be set up so that sudo -u USER
is required to run specific root commands.
Other specifications can also control access to sudoers. For example, Defaults passwd_tries=[NUMBERS]
sets the number of unsuccessful password attempts that can be made before the attempt is logged. An equally important specification is password_timeout=[MINUTES]
, which sets how long you have root privileges once you log in; a setting of 15 minutes is common in major distributions, but I have heard of timeouts of five minutes, or even two.
Finally, you might consider adding Defaults listpw=always
to require a password before the command sudo -l
yields its usual summary of sudoer's settings and assigned user privileges. It's a final bit of security that sudoers can give you by manipulating passwords. When you are done, quit the text editor as you normally would.
Other Options and Choices
Sudoers is not just about passwords and logins. Other tags and default specifications define what editor you can use with visudo, as well as the environment you log into, or how and where failed attempts to log in to sudo are stored or mailed. The sudoers man page lists them in full and exhausting detail.
However, few of these other concerns affect how sudo is used as passwords. You do not need to be satisfied with the security that your distribution has chosen – and, in some cases, you should not be. Instead, you can fine-tune sudo exactly as you want.
If you choose, you can build elaborate structures with specialized accounts used only with sudo and assign separate command aliases to them, subdividing access to root commands among the specialized accounts. Or, perhaps you only want a basic structure that seems more secure to you. Either way, sudo provides the building blocks for whatever possibility appeals to you.
Bruce Byfield
Bruce Byfield is a computer journalist and a freelance writer and editor specializing in free and open source software. In addition to his writing projects, he also teaches live and e-learning courses. In his spare time, Bruce writes about Northwest coast art. You can read more of his work at http://brucebyfield.wordpress.com
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.
-
DebConf24 to be Held in South Korea
Busan will be the location of the latest DebConf running July 28 through August 4
-
Fedora Unleashes Atomic Desktops
Fedora has combined its solid distribution with rpm-ostree system to make it possible to deliver a new family of Fedora spins, called Fedora Atomic Desktops.
-
Bootloader Vulnerability Affects Nearly All Linux Distributions
The developers of shim have released a version to fix numerous security flaws, including one that could enable remote control execution of malicious code under certain circumstances.