Advance

Useful Sudoers configurations for setting ‘sudo’ in Linux

Useful Sudoers configurations for setting ‘sudo’ in Linux

A Linux system administrator needs to know some Linux tricks. In this article, you will learn Useful Sudoers configurations for setting ‘sudo’ in Linux.

Only the root user can run all commands and perform certain critical operations on the system such as install and update, remove packages, create users and groups, modify important system configuration files, and so on in Linux and other Unix-like operating systems.

A system administrator who has the role of the root user can permit other normal system users with the help of sudo command and a few configurations to run some commands as well as carry out a number of vital system operations including the ones mentioned above.

Also, the system administrator can share the root user password. But it is not recommended to give normal system users access to the root user account via su command.

Recommended Article: How To Install The Django on Ubuntu 18.04 LTS

Useful Sudoers configurations for setting ‘sudo’ in Linux

Join us to finish this guide’s steps and learn about Sudoers configurations.

sudo allows a permitted user to execute a command as root. You can review the security policy in the following.

  1. It reads and parses /etc/sudoers, looks up the invoking user and its permissions,
  2. then prompts the invoking user for a password (normally the user’s password, but it can as well be the target user’s password. Or it can be skipped with NOPASSWD tag),
  3. after that, sudo creates a child process in which it calls setuid() to switch to the target user
  4. next, it executes a shell or the command given as arguments in the child process above.

 

Now, let’s see ten /etc/sudoers file configurations to modify the behavior of sudo command using Defaults entries.

sudo cat /etc/sudoers  
/etc/sudoers File
This file MUST be edited with the 'visudo' command as root.    Please consider adding local content in /etc/sudoers.d/ instead of  directly modifying this file.    See the man page for details on how to write a sudoers file.    Defaults	env_reset  Defaults	mail_badpass  Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"  Defaults	logfile="/var/log/sudo.log"  Defaults	lecture="always"  Defaults	badpass_message="Password is wrong, please try again"  Defaults	passwd_tries=5  Defaults	insults  Defaults	log_input,log_output

 

Types of defaults entries

Defaults                parameter,   parameter_list     affect all users on any host  Defaults@Host_List      parameter,   parameter_list     affects all users on a specific host  Defaults:User_List      parameter,   parameter_list     affects a specific user  Defaults!Cmnd_List      parameter,   parameter_list     affects  a specific command   Defaults>Runas_List     parameter,   parameter_list     affects commands being run as a specific user

 

In this guide, we will zero down to the first type of Defaults in the forms below. Parameters may be flags, integer values, strings, or lists.

Please note: That flags are implicitly boolean which can be turned off using the ‘!’ operator, and lists have two additional assignment operators, += (add to list) and -= (remove from the list)

Defaults     parameter  OR  Defaults     parameter=value  OR  Defaults     parameter -=value     Defaults     parameter +=value    OR  Defaults     !parameter       

1- Set a Secure PATH

For each command run with sudo, you can use this path and it has two importances:

  1. Used when a system administrator does not trust sudo users to have a secure PATH environment variable
  2. To separate “root path” and “user path”, only users defined by exempt_groupare not affected by this setting.

To set it:

Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"  

 

2- Enable sudo on TTY user login session

In case you need to enable sudo to be invoked from a real tty but not through methods such as cron or cgi-bin scripts, use the following command:

Defaults  requiretty   

3- Run Sudo command using a pty

Attackers can run a malicious program using sudo, a few times. If it happens, again fork a background process that remains on the user’s terminal device even when the main program has finished executing.

But you can prevent it, by configuring sudo and run other commands only from a psuedo-pty using the use_pty parameter, whether I/O logging is turned on or not.

Defaults  use_pty  

 

4- Create a Sudo log file

sudo logs through syslog(3) by default. However, to specify a custom log file, use the logfile parameter as below.

Defaults  logfile="/var/log/sudo.log"  

You can use log_host and log_year parameters respectively to log hostname and the four-digit year in the custom log file.

Defaults  log_host, log_year, logfile="/var/log/sudo.log"  

 

5- Log Sudo command Input/Output

You can enable The log_input and log_output parameters to enable sudo to run a command in pseudo-tty and log all user input and all output sent to the screen deceptively. by using The log_input and log_output parameters

As the default, I/O log directory is /var/log/sudo-io, it is stored in this directory if there is a session sequence number. You can specify a custom directory through the iolog_dir parameter.

Defaults   log_input, log_output  

There are some escape sequences are supported such as %{seq} which expands to a monotonically increasing base-36 sequence number, such as 000001, where every two digits are used to form a new directory, e.g. 00/00/01 as in the example below:

cd /var/log/sudo-io/  ls  cd  00/00/01  ls  cat log

 

Buy VPS Server

Recommended Article: Set Timezone on CentOS 6 Linux

6- Lecture Sudo users

You can use the lecture parameter as below, to lecture sudo users about password usage on the system.

Let’s review 3 possible values:

  1. always – always lecture a user.
  2. once – only lecture a user the first time they execute sudo command.
  3. never-never lecture the user.
Defaults  lecture="always"  

 

7- Show custom message when you enter wrong Sudo password

The users would face a certain message displayed on the command line, any time they enter a wrong password. The default message is “sorry, try again” and by using the following command, you can modify the message using the badpass_message parameter.

Defaults  badpass_message="Password is wrong, please try again"  

 

8- Increase sudo password tries limit

To specify the number of times a user can try to enter a password, you can use the passwd_tries parameter.

Defaults   passwd_tries=5   

 

Also, you can use the command below, to set a password timeout (default is 5 minutes)

Defaults   passwd_timeout=2  

 

9- Let Sudo insult you when you enter wrong password

Sudo will display insults on the terminal with the insults parameter if a user types a wrong password. And this will automatically turn off the badpass_message parameter.

Defaults  insults   

 

Good job! at this point, you finished the tutorial and learned some new useful tips. In order, you need to read more, follow the Linux tricks

 

Dear user, we hope you would enjoy this tutorial, you can ask questions about this training in the comments section, or to solve other problems in the field of Eldernode training, refer to the Ask page section and raise your problems in it.

View More Posts
Tom Veitch
Eldernode Writer
We Are Waiting for your valuable comments and you can be sure that it will be answered in the shortest possible time.

Leave a Reply

Your email address will not be published. Required fields are marked *

We are by your side every step of the way

Think about developing your online business; We will protect it compassionately

We are by your side every step of the way

+8595670151

7 days a week, 24 hours a day