6.2. Configuring Administrative Access Using the sudo Utility
sudocommand offers another approach to giving users administrative access. When trusted users precede an administrative command with
sudo, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the
sudocommand is as follows:
rootuser, such as
sudocommand allows for a high degree of flexibility. For instance, only users listed in the
/etc/sudoersconfiguration file are allowed to use the
sudocommand and the command is executed in the user's shell, not a
rootshell. This means the
rootshell can be completely disabled as shown in the Red Hat Enterprise Linux 7 Security Guide.
sudocommand is logged to the file
/var/log/messagesand the command issued along with the issuer's user name is logged to the file
/var/log/secure. If additional logging is required, use the
pam_tty_auditmodule to enable TTY auditing for specified users by adding the following line to your
session required pam_tty_audit.so disable=pattern enable=pattern
rootuser and disable it for all other users:
session required pam_tty_audit.so disable=* enable=root
pam_tty_auditPAM module for TTY auditing records only TTY input. This means that, when the audited user logs in,
pam_tty_auditrecords the exact keystrokes the user makes into the
/var/log/audit/audit.logfile. For more information, see the pam_tty_audit(8) manual page.
sudocommand is that an administrator can allow different users access to specific commands based on their needs.
/etc/sudoers, should use the
visudoand add a line similar to the following in the user privilege specification section:
juan ALL=(ALL) ALL
juan, can use
sudofrom any host and execute any command.
%users localhost=/usr/sbin/shutdown -h now
userssystem group can issue the command
/sbin/shutdown -h nowas long as it is issued from the console.
sudoershas a detailed listing of options for this file.
NOPASSWDoption in the
user_name ALL=(ALL) NOPASSWD: ALL
sudoruns Pluggable Authentication Module (PAM) account management modules, which enables checking for restrictions imposed by PAM modules outside of the authentication phase. This ensures that PAM modules work properly. For example, in case of the
pam_timemodule, the time-based account restriction does not fail.
sudoin the list of allowed services in all PAM-based access control rules. Otherwise, users will receive a "permission denied" error message when they try to access
sudobut access is forbidden based on current access control rules.
sudocommand. You can avoid them by editing the
/etc/sudoersconfiguration file using
visudoas described above. Leaving the
/etc/sudoersfile in its default state gives every user in the
- By default,
sudostores the password for a five minute timeout period. Any subsequent uses of the command during this period will not prompt the user for a password. This could be exploited by an attacker if the user leaves his workstation unattended and unlocked while still being logged in. This behavior can be changed by adding the following line to the
Defaults timestamp_timeout=valuewhere value is the desired timeout length in minutes. Setting the value to 0 causes
sudoto require a password every time.
- If an account is compromised, an attacker can use
sudoto open a new shell with administrative privileges:
sudo /bin/bashOpening a new shell as
rootin this or similar fashion gives the attacker administrative access for a theoretically unlimited amount of time, bypassing the timeout period specified in the
/etc/sudoersfile and never requiring the attacker to input a password for
sudoagain until the newly opened session is closed.