Advanced password manipulation in sudo
Special Privileges
Sudo provides the building blocks to secure your system exactly the way you want it.
If you know sudo, you probably know it from Ubuntu, in which you enter your password in return for temporary root privileges. However, Ubuntu's setup is only one of many for sudo. By editing /etc/sudoers
, you can configure sudo's password requirements and other features to secure your system in exactly the way you prefer.
Sudo exists for the purposes of minimizing your exposure when you are root user. Because the root account gives full access to your files, your system is at its most vulnerable when you are root. Consequently, you want to minimize your time as root and perhaps even make the root password hard to find.
The sudoers file takes a lot of options, and a careless choice could lock you out of the root account altogether. To avoid this possibility, always edit /etc/sudoers
with the visudo
command. Visudo creates a temporary copy of sudoers to edit, then checks it for errors. If any errors are found, visudo gives their approximate location by line and gives you three options: to re-open the editor to correct the errors (e); to exit, discarding your edits (X); or to quit (Q) and save the temporary file to the permanent sudoers file. This last option is something that you obviously should not do unless you are very confident that you know better than visudo, because you could prevent sudoers from working at all. Some compilations of visudo, such as Ubuntu's, list the possible choices, whereas others, such as openSUSE's, do not.
Understanding /etc/sudoers
The sudoers file begins with a warning to edit only with visudo. Below it are three main sections.
The usual first section is a list of aliases (Figure 1) with subsections for hosts (host names, IP addresses, network numbers, or netgroups), users (account names, UIDs, groups, or netgroups), run as (account names, UIDs, groups, or netgroups), and commands (sets of related commands, usually with full pathnames). Generally, the aliases are placed first, because they save typing in other sections and can be used to limit user privileges. They are traditionally capitalized to distinguish them from system groups listed in /etc/groups
, which are lowercase.
Regardless of the type of alias, their structure is:
[ALIAS_TYPE] = [ITEM 1], ITEM 2
For example, if you wanted users bb and tk both to use sudo with the same privileges, instead of defining their privileges separately, you could create the alias:
User_Alias ADMIN = bb,tk
Then, when you set up user privileges, you could define privileges for ADMIN, instead of for bb and tk separately. In a similar way, you could define a list of terminals on a network from which a sudo user can log in, or a sub-set of commands, such as apt-get
and dpkg
, that can be used to limit which root privileges a user logged in to sudo can run.
Typically, the alias section is followed by one labeled in the comments as User privilege specification (Figure 2). This is the section where most of what a user can do is defined. A basic entry uses the structure:
[USER or ALIAS] [TERMINALS]=[USER RUN AS] [TAGS:] [PERMISSIBLE COMMANDS]
For example, the basic entry for the root user with all privileges is:
root ALL=(ALL) ALL
For other users, you can also specify members of a group listed in /etc/group
. For example, in Ubuntu, privileges are defined for members of the groups admin and sudo and only need to be uncommented to become functional. Notice that groups listed in /etc/group
are generally in lowercase, whereas aliases defined in sudoers are uppercase, so they can be easily distinguished. A more restricted user privilege specification might be
bb ALL=passwd, chown, chgrp, chmod
which would give user bb the ability to change passwords and permissions from all terminals on the system, while running as root. Alternatively, you might create a command alias called PERMISSIONS that included all four commands:
bb ALL=(ROOT) PERMISSIONS
The third section of sudoers is usually labeled something like Default specification (Figure 3). Sometimes placed at the top of the file, it consists of one specification per line that changes sudoers' default behavior, either in general or for one user or user alias. For example, if you want sudo to insult users when they fail to log in successfully – presumably as a joke or as a way of reinforcing greater caution – the default specifications section might include the line:
Defaults insults
All entries in sudoers can be turned off by commenting them out. Entries also accept wildcards, such as * for any number of characters or ? for any single character. However, before using wildcards, consider whether they give more permissions than you intended.
Password Options
The most important options for customizing sudoers involves passwords. Before choosing any of them, you need to think carefully about what combination of convenience and security you want.
When a user is listed under specifications or included in a sudoer alias or system group, that user needs only to enter their own password to run as root. This setup is the default option for the user created during installation of Ubuntu. It has the convenience of not requiring that you memorize another password, but it also means that, if your normal account is cracked, then the intruder can easily run root commands. For this reason, you might want to consider other alternatives.
Many of these alternatives will require a separate root password, which Ubuntu deliberately hides. For this reason, before implementing an alternative, you might need to change to a root password of your own choosing by running the command sudo password
(Figure 4). This modification will give you more options, while leaving sudo running just as before.
The sudoers file includes a tag to run root commands without any password. This tag is placed before the list of commands:
bb ALL=(ALL) NOPASSWD:ALL
No doubt NOPASSWD
has a role on test machines, but on the average workstation or network, it is even less desirable than Ubuntu's default, because it makes system penetration easy. By contrast, PASSWD:
requires a password for all the commands that follow it, which may seem overstrict.
Other password options can be added as default specifications. For example, the line Defaults runpw
requires users to give the root password instead of their own. By default, so will Defaults runaspw
. However, if runaspw
is followed by another user's name, that user's password must be entered instead.
In the same way, Defaults targetpw
also defaults to requiring the root password. However, just as with runaspw
, targetpw
can be used with an account that is used only with sudo. Sudoers can then be set up so that sudo -u USER
is required to run specific root commands.
Other specifications can also control access to sudoers. For example, Defaults passwd_tries=[NUMBERS]
sets the number of unsuccessful password attempts that can be made before the attempt is logged. An equally important specification is password_timeout=[MINUTES]
, which sets how long you have root privileges once you log in; a setting of 15 minutes is common in major distributions, but I have heard of timeouts of five minutes, or even two.
Finally, you might consider adding Defaults listpw=always
to require a password before the command sudo -l
yields its usual summary of sudoer's settings and assigned user privileges. It's a final bit of security that sudoers can give you by manipulating passwords. When you are done, quit the text editor as you normally would.
Other Options and Choices
Sudoers is not just about passwords and logins. Other tags and default specifications define what editor you can use with visudo, as well as the environment you log into, or how and where failed attempts to log in to sudo are stored or mailed. The sudoers man page lists them in full and exhausting detail.
However, few of these other concerns affect how sudo is used as passwords. You do not need to be satisfied with the security that your distribution has chosen – and, in some cases, you should not be. Instead, you can fine-tune sudo exactly as you want.
If you choose, you can build elaborate structures with specialized accounts used only with sudo and assign separate command aliases to them, subdividing access to root commands among the specialized accounts. Or, perhaps you only want a basic structure that seems more secure to you. Either way, sudo provides the building blocks for whatever possibility appeals to you.
Bruce Byfield
Bruce Byfield is a computer journalist and a freelance writer and editor specializing in free and open source software. In addition to his writing projects, he also teaches live and e-learning courses. In his spare time, Bruce writes about Northwest coast art. You can read more of his work at http://brucebyfield.wordpress.com
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.