Using sudo options to enhance security
Sudo Security Voodoo

© Lead Image © Fernando Gregory, 123RF.com
By taking the time to learn sudo's many options, you can make your system more secure.
The sudo
command [1] has been around since the 1980s, but it has gained popularity in recent years as the default tool for running commands as root in Ubuntu. However, there's far more to sudo
than Ubuntu's policy. In fact, sudo's
man page is over 2,400 lines long, covering a staggering number of situations – some of which, like many powerful Linux commands, can get you in a lot of trouble if you are careless. sudo
also offers options that can greatly enhance security, especially if you take the time to be creative.
Why would you want to enhance your security? The answer is that, from a security viewpoint, Ubuntu's use of sudo
can be viewed as a problem (although opinions do differ). As you may know, when sudo
is configured the way it is in Ubuntu, you can use the password for your everyday account to log in to sudo
and run root commands. The trouble is that any password for an everyday account is exposed in a way that the root account is not, especially on the Internet. That means that if the everyday account is compromised, the intruder gains root access, too, if sudo
is set up on the system. The traditional separate root password is more secure, although less convenient. Fortunately, though, you can manage both convenience and security by taking the time to learn the details of sudo
.
Editing sudoers
sudo
has a unique configuration system. You can configure the behavior of the sudo
command using the sudoers
file in the /etc
directory (Figure 1). sudoers
lists default behaviors and the privileges granted to individual users. As the top of the sudoers
file warns, it should only be edited using the visudo
command. visudo
is designed to prevent you from editing sudoers
in a way that would cripple or disable sudo
by doing all editing in a temporary file and replacing the original file only when all editing is done. Should you make an error while editing sudoers
, as you try to save, visudo
will give you the option to reopen its temporary copy of sudoers
to correct the errors (e) or discard your edits (X) – choices that you obviously should not ignore. Depending on the distribution, visudo
may or may not display these choices, but they will be available whether displayed or not.
[...]
Buy this article as PDF
(incl. VAT)