Using sudo options to enhance security

Sudo Security Voodoo

© Lead Image © Fernando Gregory, 123RF.com

© Lead Image © Fernando Gregory, 123RF.com

Article from Issue 223/2019
Author(s):

By taking the time to learn sudo's many options, you can make your system more secure.

The sudo command [1] has been around since the 1980s, but it has gained popularity in recent years as the default tool for running commands as root in Ubuntu. However, there's far more to sudo than Ubuntu's policy. In fact, sudo's man page is over 2,400 lines long, covering a staggering number of situations – some of which, like many powerful Linux commands, can get you in a lot of trouble if you are careless. sudo also offers options that can greatly enhance security, especially if you take the time to be creative.

Why would you want to enhance your security? The answer is that, from a security viewpoint, Ubuntu's use of sudo can be viewed as a problem (although opinions do differ). As you may know, when sudo is configured the way it is in Ubuntu, you can use the password for your everyday account to log in to sudo and run root commands. The trouble is that any password for an everyday account is exposed in a way that the root account is not, especially on the Internet. That means that if the everyday account is compromised, the intruder gains root access, too, if sudo is set up on the system. The traditional separate root password is more secure, although less convenient. Fortunately, though, you can manage both convenience and security by taking the time to learn the details of sudo.

Editing sudoers

sudo has a unique configuration system. You can configure the behavior of the sudo command using the sudoers file in the /etc directory (Figure 1). sudoers lists default behaviors and the privileges granted to individual users. As the top of the sudoers file warns, it should only be edited using the visudo command. visudo is designed to prevent you from editing sudoers in a way that would cripple or disable sudo by doing all editing in a temporary file and replacing the original file only when all editing is done. Should you make an error while editing sudoers, as you try to save, visudo will give you the option to reopen its temporary copy of sudoers to correct the errors (e) or discard your edits (X) – choices that you obviously should not ignore. Depending on the distribution, visudo may or may not display these choices, but they will be available whether displayed or not.

[...]

Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Command Line: Sudo and Passwords

    Sudo provides the building blocks to secure your system exactly the way you want it.

    more »
  • Strict Education

    "I've seen penguins that can type better than that." If you give sudo the wrong password, you deserve to be shouted at, says sys admin columnist Charly. He is not exempt from the insult and sees it as an opportunity to raise sudoing awareness.

    more »
  • Sudo and PolicyKit

    If you give users who are usually supervised more scope to help themselves, they will need additional privileges. The sudo tool and the PolicyKit authorization service can control who does what on Linux.

    more »
  • Privilege Escalation

    Even a small configuration error or oversight can create an opening for privilege escalation. These real-world escalation techniques will help you understand what to watch for.

    more »
  • Doas

    The Sudo privilege management tool is big and complicated, with many advanced options that only an expert would need. Doas is far simpler – which might just make it safer for desktop users.

    more »
comments powered by Disqus