Performing administration tasks using sudo

Add users to the /etc/sudoers configuration file to allow them to use the sudo command. For these users, the sudo command is run in the user’s shell instead of in a root shell. As a result, the root shell can be disabled for increased security.

The administrator can also allow different users access to specific commands using the sudo configuration. Administrators must use the visudo command to edit the /etc/sudoers configuration file.

To assign full administrative privileges to a user, type visudo and add the following line to the user privilege section after replacing USERNAME with the target user name:

This line allows the specified user to use sudo from any host and execute any command.

To allow a user access to specific commands, use the following example after replacing USERS with a target system group:

This command allows all members of the USERS system group to issue the /sbin/shutdown -h as long as the command is issued from the console.

The man page for sudoers has a detailed listing of options for this file.

If you use a single user desktop, you might find it convenient to configure sudo, so you can use the same password to access root as you use for your regular account. To do this, select to be added to the Administration group during installation. To do it at later stage, or to add a different user, use the following procedure:

Each successful authentication using the sudo command is logged to the /var/log/messages file. For each authentication, the /var/log/secure file lists the user name and the command that was executed.

For additional logging, use the pam_tty_audit module to enable TTY auditing for specific users. TTY auditing prints the file name of the terminal connected to the standard I/O. To enable TTY auditing, add the following line to your /etc/pam.d/system-auth file:

Replace PATTERN with a comma-separated list of users (and globs, if needed).

For example, the following command enables TTY auditing for the root user and disables it for all other users:

Using the pam_tty_audit PAM module for auditing only records TTY input. As a result, when the audited user logs in, pam_tty_audit records the user’s exact keystrokes and saves them in /var/log/audit/audit.log. For more information, see the pam_tty_audit(8) manual page.

By default, sudo stores the password for a five minute timeout period. Any subsequent uses of the command during this period will not prompt you for a password. This could be exploited by an attacker if you leave your workstation unattended and unlocked while still being logged in. You can change this behavior by adding the following line to the /etc/sudoers configuration file:

Here, VALUE is the desired timeout length in minutes. Setting the value to 0 causes sudo to require a password every time.

If an account is compromised, an attacker can use sudo to open a new shell with administrative privileges.

Opening a new shell as a root user in this way allows an attacker administrative access for a theoretically unlimited period of time and bypasses the timeout period specified in the /etc/sudoers file. Using this method, the attacker does not need to provide a password for sudo again until the session ends.

Docker has the ability to change the group ownership of the Docker socket to allow users added to the Docker group to be able to run Docker containers without having to execute the sudo or su command to become root.

Enabling access to the Docker daemon from non-root users is a problem from a security perspective. It is a security issue for Fedora, because if a user can talk to the Docker socket they can execute a command which gives them full root access to the host system. Docker has no auditing or logging built in, while sudo does.

It is recommended that sudo rules are implemented to permit access to the Docker daemon. This allows sudo to provide logging and audit functionality.

You can enable root access without a password specified, allowing any process on your system to become root. Add the following line to your /etc/sudoers file:

This will allow user to access docker without a password.