Data Management

Limiting root access with sudo, part 1

Giving users unlimited root access is dangerous. Fortunately, you can opt to implement the sudo tool, which will provide limited root access to trusted users. Read on as Jim McIntyre explains the ins and outs of sudo.

Root access is often required by more than one user on the network. This is especially true of large distributed networks, networks with complex printing requirements, networks supporting complex Web sites, and database systems. The simplest way to provide root access is to give the root password to users performing administrative duties. Another method is to use Pluggable Authentication Modules (PAM) in conjunction with the su command to provide root access to users in the wheel group. The biggest drawback to these methods is that once root access is granted, there are no restrictions on the privileges granted. Users may be given access to root through pam_wheel to administer a database, but once these users have root access, they’re able to make unrestricted changes to the system. User accounts, networking configuration, system run levels, and other areas of the operating environment are vulnerable. The second drawback to these methods is that there is minimal logging of the user's activities.

What is sudo?
Sudo (pronounced sue-dew) provides limited root access to identified groups of users and logs all execution of privileged commands through the system logger (syslogd) utility. Sudo also provides logging of unsuccessful attempts to gain root access through sudo. In this Daily Drill Down, we’ll look at the installation, configuration, and use of sudo in a variety of situations.

Why use sudo?
Here are five good reasons for using sudo to limit root access on your system:
  • Users do not require the root password in order to be assigned root access with sudo.
  • Linux provides unlimited access to the system once the password is known.
  • Sudo allows root access to be limited based on users, hostnames, or commands.
  • Sudo provides detailed logging of root activity.
  • Using sudo eliminates the need to change the root password when a user with access leaves.

Obtaining and installing sudo
Sudo is available for download. As with any security-related utility, the best policy is to use the "latest and greatest" version. At the time of writing, the latest version is sudo-1.6.3p5.tar.gz. Be sure to note the directory where you download your software.

Installing sudo
After sudo has been downloaded, the first step is to untar and uncompress the package with the command
tar -zxvf sudo-1.6.3p5.tar.gz

Sudo includes a very complete list of configuration options. To view all available options, use the command
./configure —help

Table A lists the most important options.

Table A
Option Function
—with-alertmail=user The user for sudo to send e-mail messages to. The default is root.
—mail-if-noperms The user specified in the with-alertmail options will receive a message if a user attempts to execute an unauthorized command.
—with-umask=umask Specifies the umask to be used if a command execution causes a file or directory to be created. The default is 0022.
—without-umask Sudo will use the umask associated with the user executing sudo.
—disable-root-sudo Prevents root from using sudo. This prevents the execution of commands like sudo sudo /bin/sh.
—with-passwd-tries=tries Specifies the number of times a user may attempt to provide a password to sudo. The default is 3.
—with-exempt-group Members of the specified group are not required to supply a password. This option is disabled if the —with-pam option is used.
—with-secure-path Specifies the path. If this option is used without specifying a secure path, the default is /bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc.
—with-pam Allows PAM to be used with sudo. This option requires the use of a valid /etc/pam.d/sudo file.
—with-logging=type Specifies logging to syslog, file, or both. If file is selected, all logging is /var/log/sudo.
—with-log-fac=facility Specifies the log facility. The default is local2.
—with-fqdnAllows Allows DNS Fully Qualified Domain Names, like, and short names, like techrepublic. This option will break sudo if DNS is operational on the system.
—with-tty-tickets When a user executes and is successfully authenticated, a ticket file named after the user is created in /var/run/sudo. This ticket file is used to set the time remaining before the user must re-authenticate. The use of this option allows files to be named user:tty rather than user. This allows the simultaneous use of shared accounts.
-with-AuthSRV=dir This option supports the Internet Firewall Toolkit (FWTK). When used, dir is the directory containing the FWTK program.
Sudo configuration options

Once you are sure about the options you require, configure sudo with the command
./configure ...option1...option2...option3...

When the configure script is completed, run the following two commands as root from the directory containing the sudo source code:
make install

Using sudo
Sudo uses the following procedure to allow authenticated users to execute authorized commands as root:
  • When the user executes a command using sudo, both the user identification (UID) and the group identification (GID) are set to 0. This means that when you execute commands using sudo, you actually are root.
  • Sudo uses the /etc/sudoers file to determine whether a user is authorized to use sudo and which commands the user is able to execute.
  • Once the user is authenticated, sudo will execute any command the user is authorized to execute and exit.
  • The user may then execute other commands, and as long as the command is authorized, sudo will execute those commands.
  • By default, the user is not required to re-authenticate to sudo for five minutes.
  • Each command executed by sudo is logged by the system logger, syslogd. The log entry will include all arguments and flags used with the command, as well as the date, time, username, terminal, current directory, and error messages.
  • If an unauthorized user attempts to execute sudo, an e-mail message reporting the attempted access is sent to the administrator, and the attempt is logged by the system logger, syslogd.

The /etc/sudoers file
The /etc/sudoers file provides complete control over the user of sudo. Example A shows a simple /etc/sudoers file set up for a single system. On this system, user root and user jim share the system administration duties. There are also two lp-admin users, who are responsible for administering all printing on the system.

Example A: A simple sudoers file#Aliases. In this section, we list the user aliases, the runas aliases,
the command aliases, and the privileges applicable to specific hosts
#User aliases
User_Alias    ADMIN=jim,root
User_Alias    LP-ADMIN=jack,susan
user_Alias    SYS=root,jim,bill
Runas_Alias   SYS=jim,jack,susan
#Command aliases
Cmnd_Alias    LP=/usr/sbin/lpc/usr/bin/lprm
Cmnd_Alias    DOWN=/usr/sbin/shutdown -r *
ADMIN         training=(ALL) ALL
LP_ADMIN      training=(SYS) LP,DOWN

The User aliases section is used to establish aliases for groups of users—or any single user—who will be given administrative privileges on the system. In the example above, jim and root belong to the ADMIN alias, while jack and susan belong to the LP_ADMIN alias.

The next section is the Runas alias section. This section lists the users who may be specified with the -u flag to the sudo command.

The Command aliases section specifies the alias keywords that must be used to run the commands listed in that section.

In this example, the DOWN command executes the command /sbin/shutdown -r 3, which will shut down and reboot the system three minutes after execution. The LP command is used to execute either the /usr/sbin/lpc program or the /usr/sbin/lprm command.

The Privileges section is used to specify which privileges are assigned to which users on a specific alias. In this example, the users assigned to the ADMIN alias are able to execute all commands on the host training. The users assigned to the LP_ADMIN alias are able to run only the commands /usr/sbin/lpc and /usr/sbin/lprm, which are an expansion of the LP command, and the /sbin/reboot command. Users assigned to the LP_ADMIN alias are also able to run these commands as either the user jim or the user susan. This is because both users are assigned to the Runas_Alias SYS.

Examples of sudo being used
Suppose the user susan tries to restart the printer daemon, but without using sudo. Example B shows what would happen in this situation.

Example B: Attempt to execute a command without permission[susan@training]$ /usr/sbin/lprm
/usr/sbin/lpc: connect: Permission denied

Susan is not able to restart the printer daemon because the command is owned by root. However, because susan was assigned to the LP_ADMIN user alias in the /etc/sudoers file, she may use the lprm by executing sudo. Example C shows susan using sudo to restart the printer.

Example C: Using sudo to restart a program[susan@training]$ sudo /usr/sbin/lpc restart all
We trust you have received the usual lecture from the local system
administrator. It usually boils down to these two things:
#1) Respect the privacy of others.
#2) Think before you type.

Password: <susan's password>
       daemon aborted
       daemon restarted


One important point to remember when using sudo is that the command executed through sudo must be an exact match with the command listed in /etc/sudoers. For an example of this, let's see what happens when the user jack tries to reboot the system. The sudoers file shown in Example A gives jack permission to run the /sbin/shutdown -r command. When jack tries to reboot the system using the command /sbin/shutdown now without the -r flag, he gets the following result:
[jack@training]$ sudo /sbin/shutdown now
password: <jack's password>
Sorry, user jack does not have permission to execute "/sbin/shutdown now"

At this point, jack decides to find out what privileges have been assigned to him by using the command sudo -l. The sudo -l command gives jack the following response:
[jack@training]$ sudo –l
You may run the following commands on this host:
       (root) /usr/sbin/lpc, /usr/sbin/lprm
       (root) /sbin/shutdown -r now

Now that jack knows the proper syntax for shutdown, he is able to execute the following command:
[jack@training]$ sudo shutdown -r 3
Broadcast message from root (ttyp0) Mon Sep 18 14:37:41 2000...
The system is going down for reboot in 3 minutes !!

Editing the /etc/sudoers file with visudo
The visudo command is used to edit the /etc/sudoers file with the vi text editor. Normally, only root may run visudo. Any user with the correct privileges may execute the command
sudo visudo

When the /etc/sudoers file has been edited and the file has been saved, visudo will perform a syntax check on the file. If there are syntax errors, the user will be presented with three options:
  • Re-edit the file.
  • Quit and don't save the changes.
  • Quit and save the changes.
If the /etc/sudoers file is saved with syntax errors, sudo will not run. If errors exist, save the file without the changes or re-edit it.
The /etc/sudoers file consists of two important sections, the Alias section and the Privilege section. The Alias section makes it more convenient to administer sudo by assigning aliases to groups of users. Table B lists the alias types available with sudo and their functions. All lists in /etc/sudoers are comma-separated.

Table B
Alias Function
User_Alias Specifies a list of users, groups, and/or netgroups.
Cmnd_Alias Specifies a list of qualified commands or directories. Flags and arguments may also be specified. When a command is enclosed in quotes, no arguments are allowed. When a directory is specified, all commands in that directory are included.
Runas_Alias Specifies a list of users, groups, and/or netgroups. This alias specifies the User Identifications (UIDs) that will be accepted by sudo -l. Sudo will assume the real and effective UID of the specified user.
Host_Alias Specifies a list of hostnames, IP addresses, networks/netmasks, and/or netgroups. The Host_Alias may be used to configure the /etc/sudoers file for all systems on the network. /etc/sudoers may also be shared to multiple systems through NFS.
Alias types used with sudo

The Privilege section is where users are actually assigned permissions. The ability of the administrator to assign privileges to users in this section gives sudo a lot of its flexibility. The syntax used in the Privilege section is listed in Table C.

Table C
Syntax Function
ALL Reserved keyword that expands to all of the given types
: Separator following a cmnd_type variable and preceding a host_type variable with no white space between the entries.
! Logical NOT operator. Used only with the cmnd_type variable.
NOPASSWD The command following this variable does not require a keyword.
cmnd_type A command or CMND_ALIAS
(runas_type) A user, group, netgroup, or Runas_Alias. The parentheses must be used with this variable.
host_type A host, IP address, +netgroup, network/netmask, or Host_Alias. The equal sign (=) must follow this variable with no white space.
access_group A user, %group, +netgroup, or User_Alias
Syntax used in the /etc/sudoers Privilege section

The /etc/sudoers file is also capable of using metacharacters. The metacharacters available to sudo are listed in Table D.

Table D
Metacharacter Function
* Matches any character or no character.
? Matches only one character.
[range, range...] Matches any character in the specified range.
[!range, !range...] Matches any character not in the specified range.
\ Escape character: Function is the same as in the shell.
"" Null string: Used to prevent a command from accepting flags or arguments.
# Comment: Sudo will ignore all characters on the same line as this character.
% Specifies a Linux group.
+ Specifies a netgroup.
Metacharacters available to sudo

The sudo command
The most important fact to remember about running sudo is that the sudo command is completely controlled by the /etc/sudoers/ file. The arguments for the sudo command are listed in Table E.

Table E
Argument Function
-b Runs the command in the background. This option disables control over the shell job.
-H Sets the $HOME environment to root.
-l Lists the commands authorized for the user executing sudo.
-p prompt Sets the sudo password to prompt. Prompt is normally a quoted text string.
-r realm Specifies the Kerberos version 5 realm. Sudo must be configured using the —with-kerb5 option to use this argument.
-u username|#UID Specifies the username or UID of the user, other than root, running the specified command. When UID is used, it must be preceded by #.
Command-name The command sudo is to execute. Not required when using the -H, -s, or -V arguments.
Arguments for the sudo command

The sudo utility is a valuable tool for system administrators. Sudo gives administrators the ability to provide specific users with root access to specific commands. This allows administrative functions to be assigned to network users requiring root access while minimizing their access to the root user account. In this Daily Drill Down, I discussed the procedures for installing sudo and the commands and options available to configure sudo for a particular system. I also covered how the /etc/sudoer file gives the sudo utility its functionality and presented a simple example of how this file might be configured for a single-server network. In the next Daily Drill Down of this series, I’ll look at ways of configuring sudo for a more complex network, using sudo with the system logger daemon, syslogd, and methods for avoiding security vulnerabilities with sudo.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks