4.2. The sudo Command
sudocommand offers another approach to giving users administrative access. When trusted users precede an administrative command with
sudo, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user.
sudocommand is as follows:
sudocommand allows for a high degree of flexibility. For instance, only users listed in the
/etc/sudoersconfiguration file are allowed to use the
sudocommand and the command is executed in the user's shell, not a root shell. This means the root shell can be completely disabled as shown in the Red Hat Enterprise Linux 6 Security Guide.
sudois logged to the file
/var/log/messagesand the command issued along with the issuer's user name is logged to the file
/var/log/secure. Should you require additional logging, use the
pam_tty_auditmodule to enable TTY auditing for specified users by adding the following line to your
session required pam_tty_audit.so disable=<pattern> enable=<pattern>
session required pam_tty_audit.so disable=* enable=root
sudocommand is that an administrator can allow different users access to specific commands based on their needs.
/etc/sudoers, should use the
visudoand add a line similar to the following in the user privilege specification section:
juan ALL=(ALL) ALL
juan, can use
sudofrom any host and execute any command.
%users localhost=/sbin/shutdown -h now
/sbin/shutdown -h nowas long as it is issued from the console.
sudoershas a detailed listing of options for this file.
sudocommand. You can avoid them by editing the
/etc/sudoersconfiguration file using
visudoas described above. Leaving the
/etc/sudoersfile in its default state gives every user in the
wheelgroup unlimited root access.
- By default,
sudostores the sudoer's password for a five minute timeout period. Any subsequent uses of the command during this period will not prompt the user for a password. This could be exploited by an attacker if the user leaves his workstation unattended and unlocked while still being logged in. This behavior can be changed by adding the following line to the
Defaults timestamp_timeout=<value>where <value> is the desired timeout length in minutes. Setting the <value> to 0 causes
sudoto require a password every time.
- If a sudoer's account is compromised, an attacker can use
sudoto open a new shell with administrative privileges:
sudo /bin/bashOpening a new shell as root in this or similar fashion gives the attacker administrative access for a theoretically unlimited amount of time, bypassing the timeout period specified in the
/etc/sudoersfile and never requiring the attacker to input a password for
sudoagain until the newly opened session is closed.