Using sudo options to enhance security

Sudo Security Voodoo

© Lead Image © Fernando Gregory,

© Lead Image © Fernando Gregory,

Article from Issue 223/2019

By taking the time to learn sudo's many options, you can make your system more secure.

The sudo command [1] has been around since the 1980s, but it has gained popularity in recent years as the default tool for running commands as root in Ubuntu. However, there's far more to sudo than Ubuntu's policy. In fact, sudo's man page is over 2,400 lines long, covering a staggering number of situations – some of which, like many powerful Linux commands, can get you in a lot of trouble if you are careless. sudo also offers options that can greatly enhance security, especially if you take the time to be creative.

Why would you want to enhance your security? The answer is that, from a security viewpoint, Ubuntu's use of sudo can be viewed as a problem (although opinions do differ). As you may know, when sudo is configured the way it is in Ubuntu, you can use the password for your everyday account to log in to sudo and run root commands. The trouble is that any password for an everyday account is exposed in a way that the root account is not, especially on the Internet. That means that if the everyday account is compromised, the intruder gains root access, too, if sudo is set up on the system. The traditional separate root password is more secure, although less convenient. Fortunately, though, you can manage both convenience and security by taking the time to learn the details of sudo.

Editing sudoers

sudo has a unique configuration system. You can configure the behavior of the sudo command using the sudoers file in the /etc directory (Figure 1). sudoers lists default behaviors and the privileges granted to individual users. As the top of the sudoers file warns, it should only be edited using the visudo command. visudo is designed to prevent you from editing sudoers in a way that would cripple or disable sudo by doing all editing in a temporary file and replacing the original file only when all editing is done. Should you make an error while editing sudoers, as you try to save, visudo will give you the option to reopen its temporary copy of sudoers to correct the errors (e) or discard your edits (X) – choices that you obviously should not ignore. Depending on the distribution, visudo may or may not display these choices, but they will be available whether displayed or not.


Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Command Line: Sudo and Passwords

    Sudo provides the building blocks to secure your system exactly the way you want it.

  • Sudo and PolicyKit

    If you give users who are usually supervised more scope to help themselves, they will need additional privileges. The sudo tool and the PolicyKit authorization service can control who does what on Linux.

  • PHP for Sysadmins

    Most admins tend to use the shell, Perl,or Python if they need a system administration script. But there is no need for web programmers to learn another language just to script a routine task. PHP gives admins the power to program command-line tools and even complete web interfaces.

  • Sudo Vulnerability

    A vulnerability in the sudo package gives sudo users more powers than they deserve.

  • Encrypting USB Sticks

    How easy is it to lose a USB stick? Why not protect your data just in case the stick falls into unfriendly hands?

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95