A Linux system administrator needs to know some Linux tricks. In this article, you will learn Useful Sudoers configurations for setting ‘sudo’ in Linux.
Only the root user can run all commands and perform certain critical operations on the system such as install and update, remove packages, create users and groups, modify important system configuration files, and so on in Linux and other Unix-like operating systems.
A system administrator who has the role of the root user can permit other normal system users with the help of sudo command and a few configurations to run some commands as well as carry out a number of vital system operations including the ones mentioned above.
Also, the system administrator can share the root user password. But it is not recommended to give normal system users access to the root user account via su command.
Table of Contents
Useful Sudoers configurations for setting ‘sudo’ in Linux
Join us to finish this guide’s steps and learn about Sudoers configurations.
sudo allows a permitted user to execute a command as root. You can review the security policy in the following.
- It reads and parses /etc/sudoers, looks up the invoking user and its permissions,
- then prompts the invoking user for a password (normally the user’s password, but it can as well be the target user’s password. Or it can be skipped with NOPASSWD tag),
- after that, sudo creates a child process in which it calls setuid() to switch to the target user
- next, it executes a shell or the command given as arguments in the child process above.
Now, let’s see ten /etc/sudoers file configurations to modify the behavior of sudo command using Defaults entries.
sudo cat /etc/sudoers This file MUST be edited with the 'visudo' command as root. Please consider adding local content in /etc/sudoers.d/ instead of directly modifying this file. See the man page for details on how to write a sudoers file. Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" Defaults logfile="/var/log/sudo.log" Defaults lecture="always" Defaults badpass_message="Password is wrong, please try again" Defaults passwd_tries=5 Defaults insults Defaults log_input,log_output
Types of defaults entries
Defaults parameter, parameter_list affect all users on any host Defaults@Host_List parameter, parameter_list affects all users on a specific host Defaults:User_List parameter, parameter_list affects a specific user Defaults!Cmnd_List parameter, parameter_list affects a specific command Defaults>Runas_List parameter, parameter_list affects commands being run as a specific user
In this guide, we will zero down to the first type of Defaults in the forms below. Parameters may be flags, integer values, strings, or lists.
Please note: That flags are implicitly boolean which can be turned off using the ‘!’ operator, and lists have two additional assignment operators, += (add to list) and -= (remove from the list)
Defaults parameter OR Defaults parameter=value OR Defaults parameter -=value Defaults parameter +=value OR Defaults !parameter 1- Set a Secure PATH
For each command run with sudo, you can use this path and it has two importances:
- Used when a system administrator does not trust sudo users to have a secure PATH environment variable
- To separate “root path” and “user path”, only users defined by exempt_groupare not affected by this setting.
To set it:
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
2- Enable sudo on TTY user login session
In case you need to enable sudo to be invoked from a real tty but not through methods such as cron or cgi-bin scripts, use the following command:
Defaults requiretty 3- Run Sudo command using a pty
Attackers can run a malicious program using sudo, a few times. If it happens, again fork a background process that remains on the user’s terminal device even when the main program has finished executing.
But you can prevent it, by configuring sudo and run other commands only from a psuedo-pty using the use_pty parameter, whether I/O logging is turned on or not.
Defaults use_pty
4- Create a Sudo log file
sudo logs through syslog(3) by default. However, to specify a custom log file, use the logfile parameter as below.
Defaults logfile="/var/log/sudo.log" You can use log_host and log_year parameters respectively to log hostname and the four-digit year in the custom log file.
Defaults log_host, log_year, logfile="/var/log/sudo.log"
5- Log Sudo command Input/Output
You can enable The log_input and log_output parameters to enable sudo to run a command in pseudo-tty and log all user input and all output sent to the screen deceptively. by using The log_input and log_output parameters
As the default, I/O log directory is /var/log/sudo-io, it is stored in this directory if there is a session sequence number. You can specify a custom directory through the iolog_dir parameter.
Defaults log_input, log_output There are some escape sequences are supported such as %{seq} which expands to a monotonically increasing base-36 sequence number, such as 000001, where every two digits are used to form a new directory, e.g. 00/00/01 as in the example below:
cd /var/log/sudo-io/ ls cd 00/00/01 ls cat log
6- Lecture Sudo users
You can use the lecture parameter as below, to lecture sudo users about password usage on the system.
Let’s review 3 possible values:
- always – always lecture a user.
- once – only lecture a user the first time they execute sudo command.
- never-never lecture the user.
Defaults lecture="always"
7- Show custom message when you enter wrong Sudo password
The users would face a certain message displayed on the command line, any time they enter a wrong password. The default message is “sorry, try again” and by using the following command, you can modify the message using the badpass_message parameter.
Defaults badpass_message="Password is wrong, please try again"
8- Increase sudo password tries limit
To specify the number of times a user can try to enter a password, you can use the passwd_tries parameter.
Defaults passwd_tries=5
Also, you can use the command below, to set a password timeout (default is 5 minutes)
Defaults passwd_timeout=2
9- Let Sudo insult you when you enter wrong password
Sudo will display insults on the terminal with the insults parameter if a user types a wrong password. And this will automatically turn off the badpass_message parameter.
Defaults insults
Good job! at this point, you finished the tutorial and learned some new useful tips. In order, you need to read more, follow the Linux tricks
Dear user, we hope you would enjoy this tutorial, you can ask questions about this training in the comments section, or to solve other problems in the field of Eldernode training, refer to the Ask page section and raise your problems in it.
