4.2. The sudo Command
sudocommand offers another approach to giving users administrative access. When trusted users precede an administrative command with
sudo, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user.
The basic format of the
sudocommand is as follows:
In the above example, <command> would be replaced by a command normally reserved for the root user, such as
sudocommand allows for a high degree of flexibility. For instance, only users listed in the
/etc/sudoersconfiguration file are allowed to use the
sudocommand and the command is executed in the user's shell, not a root shell. This means the root shell can be completely disabled as shown in the Red Hat Enterprise Linux 6 Security Guide.
Each successful authentication using the
sudois logged to the file
/var/log/messagesand the command issued along with the issuer's user name is logged to the file
/var/log/secure. Should you require additional logging, use the
pam_tty_auditmodule to enable TTY auditing for specified users by adding the following line to your
session required pam_tty_audit.so disable=<pattern> enable=<pattern>
where pattern represents a comma-separated listing of users with an optional use of globs. For example, the following configuration will enable TTY auditing for the root user and disable it for all other users:
session required pam_tty_audit.so disable=* enable=root
Another advantage of the
sudocommand is that an administrator can allow different users access to specific commands based on their needs.
Administrators wanting to edit the
/etc/sudoers, should use the
To give someone full administrative privileges, type
visudoand add a line similar to the following in the user privilege specification section:
juan ALL=(ALL) ALL
This example states that the user,
juan, can use
sudofrom any host and execute any command.
The example below illustrates the granularity possible when configuring
%users localhost=/sbin/shutdown -h now
This example states that any user can issue the command
/sbin/shutdown -h nowas long as it is issued from the console.
The man page for
sudoershas a detailed listing of options for this file.
There are several potential risks to keep in mind when using the
sudocommand. You can avoid them by editing the
/etc/sudoersconfiguration file using
visudoas described above. Leaving the
/etc/sudoersfile in its default state gives every user in the
wheelgroup unlimited root access.
- By default,
sudostores the sudoer's password for a five minute timeout period. Any subsequent uses of the command during this period will not prompt the user for a password. This could be exploited by an attacker if the user leaves his workstation unattended and unlocked while still being logged in. This behavior can be changed by adding the following line to the
Defaults timestamp_timeout=<value>where <value> is the desired timeout length in minutes. Setting the <value> to 0 causes
sudoto require a password every time.
- If a sudoer's account is compromised, an attacker can use
sudoto open a new shell with administrative privileges:
sudo /bin/bashOpening a new shell as root in this or similar fashion gives the attacker administrative access for a theoretically unlimited amount of time, bypassing the timeout period specified in the
/etc/sudoersfile and never requiring the attacker to input a password for
sudoagain until the newly opened session is closed.