10 Useful Sudoers Settings to Configure ‘sudo’ on Linux

10 Useful Sudoers Settings to Configure ‘sudo’ on Linux

On Linux and other Unix-like operating systems, only the user root it can run all the commands and perform certain critical operations on the system like installing and updating, removing packages, creating users and groups, modifying important system configuration files, etc.

However, a system administrator assuming the root user role can allow other normal system users with the help of the sudo command and some configurations to execute some commands, as well as perform a number of vital system operations, including those mentioned above.

Alternatively, the system administrator can share the root user’s password (which is not a recommended method) so that normal system users have access to the root account via the command are.

sudo allows an authorized user to run a command as root (or another user), as specified by the security policy:

  1. read and analyze /etc/sudoerslook for the invoking user and their permissions,
  2. then prompts the invoking user for a password (usually the user’s password, but can also be the target user’s password. Or can be omitted with the NOPASSWD tag),
  3. after that, sudo creates a child process in which it calls a setuid() to change the target user
  4. it then runs a shell or the command supplied as an argument in the previous child process.

Below are ten file configurations /etc/sudoers to modify the behavior of the command sudo through the inputs default.

$ sudo cat /etc/sudoers

/etc/sudoers file

# Este archivo DEBE ser editado con el comando 'visudo' como root.
# Considere agregar contenido local en /etc/sudoers.d/ en lugar de
# modificar directamente este archivo.
# Consulte la página del manual para obtener detalles sobre cómo escribir un archivo sudoers.
Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" Defaults logfile="/var/log/sudo.log" Defaults lecture="always" Defaults badpass_message="Password is wrong, please try again" Defaults passwd_tries=5 Defaults insults Defaults log_input,log_output

Default Post Types

Defaults                parameter,   parameter_list     # Afecta a todos los usuarios en cualquier host
[email protected]_List parameter, parameter_list # Afecta a todos los usuarios en un host específico
Defaults:User_List parameter, parameter_list # Afecta a un usuario específico
Defaults!Cmnd_List parameter, parameter_list # Afecta a un comando específico
Defaults>Runas_List parameter, parameter_list # Afecta a los comandos que se ejecutan como un usuario específico

For the scope of this guide, we will concentrate on the first type of Defaults (predetermined values) in the forms below. Parameters can be flags, integer values, strings, or lists.

You should be aware that the flags are implicitly boolean and can be turned off with the operator,'!' and lists have two additional assignment operators +=(add to list) and -=(Remove from the list).

Defaults     parameter
Defaults     parameter=value
Defaults     parameter -=value   
Defaults     parameter +=value  
Defaults     !parameter    

1. Establish a secure PATH

This is the path used for each command that is executed with sudo, it has two importances:

  1. Used when a system administrator does not trust sudo users to have a secure PATH environment variable
  2. To separate the “root path” and the “user path”, just the users defined by exempt_group are not affected by this setting.

To configure it, add the line:

Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

2. Enable sudo on the TTY user login session

To enable sudo invocation from a tty real, but not via methods like scripts cron o cgi-binadd the line:

Defaults  requiretty   

3. Run the sudo command using a pty

Sometimes attackers can run a malicious program (such as a virus or malware) using sudo, which would again fork a background process that remains on the user’s end device even after the main program has finished running.

To avoid such a scenario, you can configure sudo to run other commands only from a psuedo-pty using the parameter,use_pty whether I/O logging is enabled or not, as follows:

Defaults  use_pty

4. Create a sudo log file

By default, sudo logs through syslog(3). However, to specify a custom log file, use the log file parameter as follows:

Defaults  logfile="/var/log/sudo.log"

To record the hostname and four-digit year in the custom log file, use the parameters log_host y log_year respectively as follows:

Defaults  log_host, log_year, logfile="/var/log/sudo.lo

5. Sudo command input/output logging

parameters log_input y log_output they allow sudo to run a command in pseudo-tty and log all user input and output sent to the screen in a responsive manner.

The default I/O log directory is /var/log/sudo-io and, if there is a session sequence number, it is stored in this directory. You can specify a custom directory via the parameter iolog_dir.

Defaults   log_input, log_output

Some escape sequences are supported, such as %{seq}which expands to a monotonically increasing base 36 sequence number, such as 000001, where every two digits are used to form a new directory, for example, 00/00/01 as in the following example:

$ cd /var/log/sudo-io/
$ ls
$ cd  00/00/01
$ ls
$ cat log

Log sudo Input / Output

You can see the rest of the files in that directory using the cat command.

6. Lecture sudo users

To teach sudo users about using passwords on the system, use the parameter reading as shown below.

It has 3 possible values:

  1. always (always): always lecture a user.
  2. once (once): Only lecture a user the first time they run the sudo command (this is used when no value is specified)
  3. never (never), never lecture the user.
Defaults  lecture="always"

Additionally, you can configure a custom conference file with the parameter conference_filewrite the appropriate message to the file:

Valores predeterminados
Defaults  lecture_file="/ruta/al/archivo"

Conferencing sudo users

7. Show a custom message when you enter an incorrect sudo password

When a user enters an incorrect password, a certain message is displayed on the command line. The default message is ” sorry, try again “, you can modify the message using the parameter badpass_message as follows:

Defaults  badpass_message="Password is wrong, please try again"

8. Increase sudo password attempt limit

parameter passwd_tries is used to specify the number of times a user can attempt to enter a password.

The default is 3:

Defaults   passwd_tries=5 

Increase sudo password attempts

To set a password timeout (default is 5 minutes) using the parameter passwd_timeoutadd the following line:

Defaults   passwd_timeout=2

9. Let sudo insult you when you enter the wrong password

In case a user types a wrong password, sudo will output slurs to the terminal with the slurs parameter. This will automatically disable the parameter badpass_message.

Defaults  insults 

Let’s configure sudo to insult you when you enter a wrong password

10. More information about sudo configurations

Also, you can learn more command settings sudo reading: Difference between su and sudo and How to configure sudo in Linux.

That’s all! You can share other useful sudo command setup or tips and tricks with Linux users via the comments section below.

Pin It


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent News

Editor's Pick