Sudo
Overview
- sudo takes as its argument a command line to be executed as root:
- sudo consults the file /etc/sudoers
- which lists the people who are authorized to use sudo and the commands they are allowed to run on each host.
- If the proposed command is permitted, sudo prompts for the user’s own password and executes the command.
- sudo logs the details of command that was executed
Pros and cons of using Sudo
Pros
- accountability improved because of command logging ‘/var/log/auth.log’
- users can do specific chores without having unlimited root privileges
- the real root password can be known to only one or two people.
- canonical list of all users with root privileges is maintained.
Cons
- any breach in the security of a sudoer’s personal account can be equivalent to breaching the root account itself
- sudo’s command logging can easily be subverted -> sudo vi /etc/hosts -> :!sh
Configuration
/etc/sudoers syntax
%sudo ALL=(ALL:ALL) ALL
# %sudo -> users in the "sudo" group
# ALL -> on any host
# (ALL:ALL) -> can run as any user and any group (usually root)
# ALL -> can run any command
always use the following cmd to editor /etc/sudoers
# this is required because an invalid sudoers file might prevent you from sudoing again to fix it.
sudo EDITOR=vim visudo
#1 checks to be sure no one else is editing the file
#2 verifies the syntax of the edited file before installing it
a) manage permissions via user groups
# use the group instead of labels
# "%" targets a unix group to check if the requesting user has permissions
%sudo ALL=(ALL:ALL) ALL # some systems use %wheel.. why? - slang phrase big wheel, a person with great power or influence
note: you can comment out the
admin:%sudo ALL=(ALL:ALL) ALLif you want to limit to one group (this is historical)
b) or manage via sudoers file and usernames
“Since it’s important that sudo be reliable and secure, it’s natural to wonder if you might be exposing your systems to additional risk if you don’t make use of sudo’s advanced features and set exactly the right values for all options. The answer is no. 90% of sudoers files look something like this”
# use explicit labels and statically assign to names
Users_Alias ADMINS = alice, bob, charles
ADMINS ALL = (ALL:ALL) ALL
“These are perfectly respectable configurations, and in many cases there’s no need to complicate it further. There are extra optional things however, Nothing more is required for general robustness.”
Precedence
- sudo always obeys the last matching line, with matching being determined by the entire 4-tuple of user, host, target user, and command
- Therefore, NOPASSWD exceptions must follow their more general counterparts, as shown above
ex: an earlier rule requires a password but a later matching rule specifies NOPASSWD, the user will not be prompted for a password
Environment variables
By default running sudo will not read your environment variables at all
export LOCATION=tokyo
./xyz.sh
# prints "tokyo"
sudo ./xyz.sh # sudo strips since not on whitelist (all are blocked by default
# prints ""
sudo LOCATION=tokyo ./xyz.sh
# prints "tokyo" since explicitly passed in
# visudo <- update whitelist
Defaults env_keep += "LOCATION"
# no try again with sudo..
export LOCATION=tokyo
sudo ./xyz.sh
# prints "tokyo" since whitelisted
Whitelist commands
# example to allow no password only for apt, everything else requires a pw
%sudo ALL=(ALL:ALL) ALL
%sudo ALL=(ALL) NOPASSWD: /usr/bin/apt
Commands
sudo usermod -aG sudo alice # allow sudo for alice
getent group sudo # check who is in sudo group (who can use sudo)
sudo passwd -l root
# this adds a ! before their hash in /etc/shadow
# making it impossible to login because the input for that hash could be nearly infinite
# allow write access
sudo chmod +w /etc/sudoers
# Edit the following line
# -- before ---------------------------------------
%sudo ALL=(ALL:ALL) ALL
# -- after ---------------------------------------
%sudo ALL=(ALL:ALL) NOPASSWD: ALL
# remove write access
sudo chmod -w /etc/sudoers