The sys admin's daily grind: sudoers

Charly's Column – sudoersn

Article from Issue 221/2019

"I've seen penguins that can type better than that." If you give sudo the wrong password, you deserve to be shouted at, says sys admin columnist Charly. He is not exempt from the insult and sees it as an opportunity to raise sudoing awareness.

If you work with and on Linux, you are likely to type sudo regularly to execute programs with another user's privileges – typically the superuser's. sudo will then understandably ask for the appropriate password. In times when my fingers refuse to obey me and I enter the secret password wrong three times in succession, sudo rejects my request to escalate. Okay, if you fail to type the password correctly despite having had three attempts, maybe you shouldn't be messing around on the system with root privileges. So far, so good, but free software can surely offer more than that!

sudo visudo

sudo looks for its default settings in the /etc/sudoers file. You can't just open it with an editor; instead, you need to use the visudo command – assuming you're root. (If I'm on the road as a user, I have to type sudo visudo, which strangely makes me laugh.) At the beginning of the file are some lines that start with Defaults. You need to add two lines here (Figure 1):

Defaults insults
Defaults passwd_tries=5
Figure 1: The file /etc/sudoers contains two new Defaults entries.

The first line causes sudo to output a silly saying after every wrong input. The second line increases the number of allowed failed attempts to five. To test this, I deliberately acted stupid again and got the result shown in Figure 2.

Figure 2: Users are now hit by four insults before sudo black flags them.

Tomorrow's world: I was wondering whether I could perhaps store some insults customized for myself – or better still, for my favorite co-workers? Yes, I can! You need to store a string in /etc/sudoers, which is displayed after typing the wrong password:

Defaults badpass_message="You shall not pass!"

For this to work, you have to remove the Defaults insults entry.

"Just What Do You Think You're Doing, Dave?"

That's not bad. A list of different answers, from which sudo then randomly selects one, would be even better of course. Unfortunately, this only works by changing the answers in the source code and then recompiling them.

I found some source code files containing useful sayings online [1]: ins_2001.h, ins_classic.h, ins_python.h, ins_goons.h, ins_csops.h, and insults.h.

The file names indicate the movies or TV shows from which the quotes are taken. The ins_python.h file has nothing to do with the programming language, of course, but contains legendary sayings from Monty Python, such as, "I fart in your general direction!".

While I am suffering from regular verbal humiliation, the thought occurred to me that I could announce a competition among my co-workers for the best sudo insults. See you next time, dummies!

The Author

Charly Kühnast manages Unix systems in the data center in the Lower Rhine region of Germany. His responsibilities include ensuring the security and availability of firewalls and the DMZ.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Command Line: Sudo and Passwords

    Sudo provides the building blocks to secure your system exactly the way you want it.

  • Sudo and PolicyKit

    If you give users who are usually supervised more scope to help themselves, they will need additional privileges. The sudo tool and the PolicyKit authorization service can control who does what on Linux.

  • Privilege Escalation

    Even a small configuration error or oversight can create an opening for privilege escalation. These real-world escalation techniques will help you understand what to watch for.

  • Introduction

    This month in Linux Voice.

  • Charly's Column – pwquality

    Regular password changes are a thing of the past: Strong passwords for each individual service provide more protection. Charly pimped his Ubuntu accordingly with a suitable PAM module.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More