Performing administration tasks using sudo

How to perform tasks requiring root privileges without logging in as root.

What is sudo?

The sudo command allows users to gain administrative or root access. When trusted users precede an administrative command with sudo, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user.

Only users listed in the /etc/sudoers configuration file are allowed to use the sudo command. The command is executed in the user’s shell, not a root shell.

The syntax for the sudo command is as follows:

sudo COMMAND

Replace COMMAND with the command to run as the root user.

How to use sudo

Using sudo to assign administrator privileges

Add users to the /etc/sudoers configuration file to allow them to use the sudo command. For these users, the sudo command is run in the user’s shell instead of in a root shell. As a result, the root shell can be disabled for increased security.

The administrator can also allow different users access to specific commands using the sudo configuration. Administrators must use the visudo command to edit the /etc/sudoers configuration file.

To assign full administrative privileges to a user, type visudo and add the following line to the user privilege section after replacing USERNAME with the target user name:

USERNAME ALL=(ALL) ALL

This line allows the specified user to use sudo from any host and execute any command.

To allow a user access to specific commands, use the following example after replacing USERS with a target system group:

%USERS localhost=/usr/sbin/shutdown -h now

This command allows all members of the USERS system group to issue the /sbin/shutdown -h as long as the command is issued from the console.

The man page for sudoers has a detailed listing of options for this file.

Using the same password for root as the user account

If you use a single user desktop, you might find it convenient to configure sudo, so you can use the same password to access root as you use for your regular account. To do this, select to be added to the Administration group during installation. To do it at later stage, or to add a different user, use the following procedure:

  1. Become the root user:

    $ su -

  2. Enter the password for the root account when prompted.

  3. To use your regular password for the root access, run:

    # usermod USERNAME -a -G groupname

    Replace USERNAME with your account name

  4. Log off and back on in order to have access to the group.

When sudo prompts you for a password, it expects your user password, not the root password.

Logging sudo commands

Each successful authentication using the sudo command is logged to the /var/log/messages file. For each authentication, the /var/log/secure file lists the user name and the command that was executed.

For additional logging, use the pam_tty_audit module to enable TTY auditing for specific users. TTY auditing prints the file name of the terminal connected to the standard I/O. To enable TTY auditing, add the following line to your /etc/pam.d/system-auth file:

session required pam_tty_audit.so disable=pattern enable=PATTERN

Replace PATTERN with a comma-separated list of users (and globs, if needed).

For example, the following command enables TTY auditing for the root user and disables it for all other users:

session required pam_tty_audit.so disable=* enable=root

Using the pam_tty_audit PAM module for auditing only records TTY input. As a result, when the audited user logs in, pam_tty_audit records the user’s exact keystrokes and saves them in /var/log/audit/audit.log. For more information, see the pam_tty_audit(8) manual page.

Warnings and caveats

You must use the user account you created following the installation process, at first boot, for daily use and the root account only for system administration. Avoid using root for any non-administration usage, since the account makes it easy to create security or data risks.

There are several potential risks to keep in mind when using the sudo command. You can avoid them by editing the /etc/sudoers configuration file using visudo command.

sudo timeout

De manera predeterminada, sudo almacena la contraseña por un período de cinco minutos. Cualquier uso subsiguiente del comando durante este período no le pedirá contraseña. Esto podría ser explotado por un atacante si usted deja la estación de trabajo desatendida y desbloqueada mientras está accediendo. Usted puede cambiar este comportamiento añadiendo la siguiente línea al archivo de configuración /etc/sudoers:

Defaults    timestamp_timeout=VALUE

Aquí, VALUE es la longitud deseada de tiempo de salida en minutos. Si fija este valor a 0 provoca que sudo requiera la contraseña cada vez.

Si una cuenta está comprometida un atacante puede usar el comando sudo para abrir un nuevo terminal con privilegios administrativos.

Abrir un nuevo terminal como usuario root permite a un atacante acceso administrativo por un período de tiempo teóricamente ilimitado y saltar el período de tiempo especificado en el archivo /etc/sudoers. Usando este método, el atacante no necesita suministrar una contraseña para sudo otra vez hasta que la sesión termine.

Using sudo to access Docker

Docker has the ability to change the group ownership of the Docker socket to allow users added to the Docker group to be able to run Docker containers without having to execute the sudo or su command to become root.

Enabling access to the Docker daemon from non-root users is a problem from a security perspective. It is a security issue for Fedora, because if a user can talk to the Docker socket they can execute a command which gives them full root access to the host system. Docker has no auditing or logging built in, while sudo does.

It is recommended that sudo rules are implemented to permit access to the Docker daemon. This allows sudo to provide logging and audit functionality.

Run Docker using sudo

  1. Set up sudo as shown in Using sudo to assign administrator privileges.

  2. Create an alias for running the docker command by adding the following line to your ~/.bashrc file:

    alias docker="sudo /usr/bin/docker"

    When the user executes the docker command as non-root, sudo will be used to manage access and provide logging.

Using sudo without a password

You can enable root access without a password specified, allowing any process on your system to become root. Add the following line to your /etc/sudoers file:

user        ALL=(ALL)       NOPASSWD: /usr/bin/docker

This will allow user to access docker without a password.

For security reasons, it is recommended that you always use sudo with a password.