{"id":13227,"date":"2019-04-01T08:37:55","date_gmt":"2019-04-01T08:37:55","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=13227"},"modified":"2019-04-01T08:37:55","modified_gmt":"2019-04-01T08:37:55","slug":"10-useful-sudoers-configurations-for-setting-sudo-in-linux","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/04\/01\/10-useful-sudoers-configurations-for-setting-sudo-in-linux\/","title":{"rendered":"10 Useful Sudoers Configurations for Setting \u2018sudo\u2019 in Linux"},"content":{"rendered":"

In Linux and other Unix-like operating systems, only the\u00a0root<\/strong>\u00a0user can run all commands and perform certain critical operations on the system such as install and update, remove packages,\u00a0create users and groups<\/a>, modify important system configuration files and so on.<\/p>\n

However, a system administrator who assumes the role of the root user can permit other normal system users with the help of\u00a0sudo command<\/a>\u00a0and a few configurations to run some commands as well as carry out a number of vital system operations including the ones mentioned above.<\/p>\n

Alternatively, the system administrator can share the root user password (which is not a recommended method) so that normal system users have access to the root user account via\u00a0su<\/strong>\u00a0command.<\/p>\n

sudo<\/strong>\u00a0allows a permitted user to execute a command as root (or another user), as specified by the security policy:<\/p>\n

    \n
  1. It reads and parses\u00a0\/etc\/sudoers<\/strong>, looks up the invoking user and its permissions,<\/li>\n
  2. then prompts the invoking user for a password (normally the user\u2019s password, but it can as well be the target user\u2019s password. Or it can be skipped with NOPASSWD tag),<\/li>\n
  3. after that, sudo creates a child process in which it calls\u00a0setuid()<\/strong>\u00a0to switch to the target user<\/li>\n
  4. next, it executes a shell or the command given as arguments in the child process above.<\/li>\n<\/ol>\n

    Below are ten\u00a0\/etc\/sudoers<\/strong>\u00a0file configurations to modify the behavior of\u00a0sudo<\/strong>\u00a0command using\u00a0Defaults<\/strong>\u00a0entries.<\/p>\n

    $ sudo cat \/etc\/sudoers\r\n<\/pre>\n
    \/etc\/sudoers File<\/div>\n
    #\r\n# This file MUST be edited with the 'visudo' command as root.\r\n#\r\n# Please consider adding local content in \/etc\/sudoers.d\/ instead of\r\n# directly modifying this file.\r\n#\r\n# See the man page for details on how to write a sudoers file.\r\n#\r\nDefaults\tenv_reset\r\nDefaults\tmail_badpass\r\nDefaults\tsecure_path=\"\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin\"\r\nDefaults\tlogfile=\"\/var\/log\/sudo.log\"\r\nDefaults\tlecture=\"always\"\r\nDefaults\tbadpass_message=\"Password is wrong, please try again\"\r\nDefaults\tpasswd_tries=5\r\nDefaults\tinsults\r\nDefaults\tlog_input,log_output<\/strong>\r\n<\/pre>\n
    Types of Defaults Entries<\/h4>\n
    Defaults                parameter,   parameter_list     #affect all users on any host\r\nDefaults@Host_List      parameter,   parameter_list     #affects all users on a specific host\r\nDefaults:User_List      parameter,   parameter_list     #affects a specific user\r\nDefaults!Cmnd_List      parameter,   parameter_list     #affects  a specific command \r\nDefaults>Runas_List     parameter,   parameter_list     #affects commands being run as a specific user\r\n<\/pre>\n
    For the scope of this guide, we will zero down to the first type of\u00a0Defaults<\/strong>\u00a0in the forms below. Parameters may be flags, integer values, strings, or lists.<\/p>\n
    You should note that flags are implicitly boolean and can be turned off using the\u00a0'!'<\/code>\u00a0operator, and lists have two additional assignment operators,\u00a0+=<\/code>\u00a0(add to list) and\u00a0-=<\/code>\u00a0(remove from list).<\/p>\n
    Defaults     parameter\r\nOR\r\nDefaults     parameter=value\r\nOR\r\nDefaults     parameter -=value   \r\nDefaults     parameter +=value  \r\nOR\r\nDefaults     !parameter       \r\n<\/pre>\n
    1. Set a Secure PATH<\/h3>\n
    This is the path used for every command run with sudo, it has two importances:<\/p>\n
      \n
    1. Used when a system administrator does not trust sudo users to have a secure PATH environment variable<\/li>\n
    2. To separate \u201croot path\u201d and \u201cuser path\u201d, only users defined by\u00a0exempt_group<\/strong>\u00a0are not affected by this setting.<\/li>\n<\/ol>\n
      To set it, add the line:<\/p>\n
      Defaults secure_path=\"\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/snap\/bin\"\r\n<\/pre>\n
      2. Enable sudo on TTY User Login Session<\/h3>\n
      To enable sudo to be invoked from a real\u00a0tty<\/strong>\u00a0but not through methods such as\u00a0cron<\/strong>\u00a0or\u00a0cgi-bin<\/strong>\u00a0scripts, add the line:<\/p>\n
      Defaults  requiretty   \r\n<\/pre>\n
      3. Run Sudo Command Using a pty<\/h3>\n
      A few times, attackers can run a malicious program (such as a virus or malware) using sudo, which would again fork a background process that remains on the user\u2019s terminal device even when the main program has finished executing.<\/p>\n
      To avoid such a scenario, you can configure sudo to run other commands only from a\u00a0psuedo-pty<\/strong>\u00a0using the\u00a0use_pty<\/code>\u00a0parameter, whether I\/O logging is turned on or not as follows:<\/p>\n
      Defaults  use_pty\r\n<\/pre>\n
      4. Create a Sudo Log File<\/h3>\n
      By default, sudo logs through syslog(3). However, to specify a custom log file, use the logfile parameter like so:<\/p>\n
      Defaults  logfile=\"\/var\/log\/sudo.log\"\r\n<\/pre>\n
      To log hostname and the four-digit year in the custom log file, use\u00a0log_host<\/strong>\u00a0and\u00a0log_year<\/strong>\u00a0parameters respectively as follows:<\/p>\n
      Defaults  log_host, log_year, logfile=\"\/var\/log\/sudo.log\"\r\n<\/pre>\n
      Below is an example of a custom sudo log file:<\/p>\n
      \n
      \"Create<\/a><\/p>\n
      Create Custom Sudo Log File<\/p>\n<\/div>\n
      5. Log Sudo Command Input\/Output<\/h3>\n
      The\u00a0log_input<\/strong>\u00a0and\u00a0log_output<\/strong>\u00a0parameters enable sudo to run a command in pseudo-tty and log all user input and all output sent to the screen receptively.<\/p>\n
      The default I\/O log directory is\u00a0\/var\/log\/sudo-io<\/strong>, and if there is a session sequence number, it is stored in this directory. You can specify a custom directory through the\u00a0iolog_dir<\/strong>\u00a0parameter.<\/p>\n
      Defaults   log_input, log_output\r\n<\/pre>\n
      There are some escape sequences are supported such as\u00a0%{seq}<\/code>\u00a0which expands to a monotonically increasing base-36 sequence number, such as 000001, where every two digits are used to form a new directory, e.g.\u00a000\/00\/01<\/strong>\u00a0as in the example below:<\/p>\n
      $ cd \/var\/log\/sudo-io\/\r\n$ ls\r\n$ cd  00\/00\/01\r\n$ ls\r\n$ cat log\r\n<\/pre>\n
      \n
      \"Log<\/a><\/p>\n
      Log sudo Input Output<\/p>\n<\/div>\n
      You can view the rest of the files in that directory using the\u00a0cat command<\/a>.<\/p>\n
      6. Lecture Sudo Users<\/h3>\n
      To lecture sudo users about password usage on the system, use the\u00a0lecture<\/strong>\u00a0parameter as below.<\/p>\n
      It has 3 possible values:<\/p>\n
        \n
      1. always \u2013 always lecture a user.<\/li>\n
      2. once \u2013 only lecture a user the first time they execute sudo command (this is used when no value is specified)<\/li>\n
      3. never \u2013 never lecture the user.<\/li>\n<\/ol>\n
         \r\nDefaults  lecture=\"always\"\r\n<\/pre>\n
        Additionally, you can set a custom lecture file with the\u00a0lecture_file<\/strong>\u00a0parameter, type the appropriate message in the file:<\/p>\n
        Defaults  lecture_file=\"\/path\/to\/file\"\r\n<\/pre>\n
        \n
        \"Lecture<\/a><\/p>\n
        Lecture Sudo Users<\/p>\n<\/div>\n
        7. Show Custom Message When You Enter Wrong sudo Password<\/h3>\n
        When a user enters a wrong password, a certain message is displayed on the command line. The default message is \u201csorry, try again<\/strong>\u201d, you can modify the message using the\u00a0badpass_message<\/strong>\u00a0parameter as follows:<\/p>\n
        Defaults  badpass_message=\"Password is wrong, please try again\"\r\n<\/pre>\n
        8. Increase sudo Password Tries Limit<\/h3>\n
        The parameter\u00a0passwd_tries<\/strong>\u00a0is used to specify the number of times a user can try to enter a password.<\/p>\n
        The default value is 3:<\/p>\n
        Defaults   passwd_tries=5 \r\n<\/pre>\n
        \n
        \"Increase<\/a><\/p>\n
        Increase Sudo Password Attempts<\/p>\n<\/div>\n
        To set a password timeout (default is 5 minutes) using\u00a0passwd_timeout<\/strong>\u00a0parameter, add the line below:<\/p>\n
        Defaults   passwd_timeout=2\r\n<\/pre>\n
        9. Let Sudo Insult You When You Enter Wrong Password<\/h3>\n
        In case a user types a wrong password, sudo will display insults on the terminal with the insults parameter. This will automatically turn off the\u00a0badpass_message<\/strong>\u00a0parameter.<\/p>\n
        Defaults  insults \r\n<\/pre>\n
        \n
        \"Let's<\/a><\/p>\n
        Let\u2019s Sudo Insult You When Enter Wrong Password<\/p>\n<\/div>\n
        Read More<\/strong>:\u00a0Let Sudo Insult You When You Enter Incorrect Password<\/a><\/p>\n
        10. Learn More Sudo Configurations<\/h3>\n
        Additionally, you can learn more\u00a0sudo<\/strong>\u00a0command configurations by reading:\u00a0Difference Between su and sudo and How to Configure sudo in Linux<\/a>.<\/p>\n
        That\u2019s it! You can share other useful sudo command configurations or\u00a0tricks and tips with Linux<\/a>\u00a0users out there via the comment section below.<\/p>\n
        Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
        In Linux and other Unix-like operating systems, only the\u00a0root\u00a0user can run all commands and perform certain critical operations on the system such as install and update, remove packages,\u00a0create users and groups, modify important system configuration files and so on. However, a system administrator who assumes the role of the root user can permit other normal … <\/p>\n
        Continue reading “10 Useful Sudoers Configurations for Setting \u2018sudo\u2019 in Linux”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-13227","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13227","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=13227"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13227\/revisions"}],"predecessor-version":[{"id":13228,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13227\/revisions\/13228"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=13227"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=13227"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=13227"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}