Performing administration tasks using sudo
How to perform tasks requiring root privileges without logging in as root.
¿Qué es sudo?
El comando sudo
permiten a los usuarios obtener acceso administrativo o de root. Cuando los usuarios de confianza preceden un comando administrativo con sudo
, se les pide su propia contraseña. Después, cuando han sido identificados y se asume que se les permite el comando, el comando administrativo se ejecuta como si fueran el usuario root.
Only users listed in the /etc/sudoers
configuration file are allowed to use the sudo
command. The command is executed in the user’s shell, not a root shell.
The syntax for the sudo command is as follows:
sudo COMMAND
Replace COMMAND
with the command to run as the root user.
How to use sudo
Using sudo to assign administrator privileges
Add users to the /etc/sudoers
configuration file to allow them to use the sudo
command. For these users, the sudo
command is run in the user’s shell instead of in a root shell. As a result, the root shell can be disabled for increased security.
The administrator can also allow different users access to specific commands using the sudo configuration. Administrators must use the visudo
command to edit the /etc/sudoers
configuration file.
To assign full administrative privileges to a user, type visudo
and add the following line to the user privilege section after replacing USERNAME
with the target user name:
USERNAME ALL=(ALL) ALL
This line allows the specified user to use sudo
from any host and execute any command.
To allow a user access to specific commands, use the following example after replacing USERS
with a target system group:
%USERS localhost=/usr/sbin/shutdown -h now
This command allows all members of the USERS
system group to issue the /sbin/shutdown -h
as long as the command is issued from the console.
The man page for sudoers
has a detailed listing of options for this file.
Using the same password for root as the user account
If you use a single user desktop, you might find it convenient to configure sudo
, so you can use the same password to access root as you use for your regular account. To do this, select to be added to the Administration group during installation. To do it at later stage, or to add a different user, use the following procedure:
-
Become the root user:
$ su -
-
Enter the password for the root account when prompted.
-
To use your regular password for the root access, run:
# usermod USERNAME -a -G groupname
Replace
USERNAME
with your account name -
Log off and back on in order to have access to the group.
When sudo prompts you for a password, it expects your user password, not the root password.
|
Logging sudo commands
Each successful authentication using the sudo
command is logged to the /var/log/messages
file. For each authentication, the /var/log/secure
file lists the user name and the command that was executed.
For additional logging, use the pam_tty_audit
module to enable TTY auditing for specific users. TTY auditing prints the file name of the terminal connected to the standard I/O. To enable TTY auditing, add the following line to your /etc/pam.d/system-auth
file:
session required pam_tty_audit.so disable=pattern enable=PATTERN
Replace PATTERN
with a comma-separated list of users (and globs, if needed).
For example, the following command enables TTY auditing for the root user and disables it for all other users:
session required pam_tty_audit.so disable=* enable=root
Using the pam_tty_audit
PAM module for auditing only records TTY input. As a result, when the audited user logs in, pam_tty_audit
records the user’s exact keystrokes and saves them in /var/log/audit/audit.log
. For more information, see the pam_tty_audit(8) manual page.
Warnings and caveats
You must use the user account you created following the installation process, at first boot, for daily use and the root account only for system administration. Avoid using root for any non-administration usage, since the account makes it easy to create security or data risks.
There are several potential risks to keep in mind when using the sudo
command. You can avoid them by editing the /etc/sudoers
configuration file using visudo
command.
sudo timeout
De manera predeterminada, sudo
almacena la contraseña por un período de cinco minutos. Cualquier uso subsiguiente del comando durante este período no le pedirá contraseña. Esto podría ser explotado por un atacante si usted deja la estación de trabajo desatendida y desbloqueada mientras está accediendo. Usted puede cambiar este comportamiento añadiendo la siguiente línea al archivo de configuración /etc/sudoers
:
Defaults timestamp_timeout=VALUE
Aquí, VALUE
es la longitud deseada de tiempo de salida en minutos. Si fija este valor a 0 provoca que sudo
requiera la contraseña cada vez.
Si una cuenta está comprometida un atacante puede usar el comando sudo
para abrir un nuevo terminal con privilegios administrativos.
Abrir un nuevo terminal como usuario root permite a un atacante acceso administrativo por un período de tiempo teóricamente ilimitado y saltar el período de tiempo especificado en el archivo /etc/sudoers
. Usando este método, el atacante no necesita suministrar una contraseña para sudo
otra vez hasta que la sesión termine.
Using sudo to access Docker
Docker has the ability to change the group ownership of the Docker socket to allow users added to the Docker group to be able to run Docker containers without having to execute the sudo
or su
command to become root.
Enabling access to the Docker daemon from non-root users is a problem from a security perspective. It is a security issue for Fedora, because if a user can talk to the Docker socket they can execute a command which gives them full root access to the host system. Docker has no auditing or logging built in, while sudo
does.
It is recommended that sudo rules are implemented to permit access to the Docker daemon. This allows sudo
to provide logging and audit functionality.
Ejecutar Docker usando sudo
-
Configure
sudo
como se muestra en Usando sudo para asigrnar privilegios de administrador. -
Cree un alias para ejecutar el comando docker añadiendo la siguiente línea en su archivo
~/.bashrc
:alias docker="sudo /usr/bin/docker"
When the user executes the docker command as non-root, sudo will be used to manage access and provide logging.
Using sudo without a password
You can enable root
access without a password specified, allowing any process on your system to become root
. Add the following line to your /etc/sudoers
file:
user ALL=(ALL) NOPASSWD: /usr/bin/docker
This will allow user
to access docker without a password.
For security reasons, it is recommended that you always use sudo with a password.
|
Want to help? Learn how to contribute to Fedora Docs ›