How to perform tasks requiring root privileges without logging in as root.

What is sudo?

The sudo command allows users to gain administrative or root access. When trusted users precede an administrative command with sudo, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user.

Only users listed in the /etc/sudoers configuration file are allowed to use the sudo command. The command is executed in the user’s shell, not a root shell.

The syntax for the sudo command is as follows:

sudo COMMAND

Replace COMMAND with the command to run as the root user.

How to use sudo

Using sudo to assign administrator privileges

Add users to the /etc/sudoers configuration file to allow them to use the sudo command. For these users, the sudo command is run in the user’s shell instead of in a root shell. As a result, the root shell can be disabled for increased security.

The administrator can also allow different users access to specific commands using the sudo configuration. Administrators must use the visudo command to edit the /etc/sudoers configuration file.

To assign full administrative privileges to a user, type visudo and add the following line to the user privilege section after replacing USERNAME with the target user name:

USERNAME ALL=(ALL) ALL

This line allows the specified user to use sudo from any host and execute any command.

To allow a user access to specific commands, use the following example after replacing USERS with a target system group:

%USERS localhost=/usr/sbin/shutdown -h now

This command allows all members of the USERS system group to issue the /sbin/shutdown -h as long as the command is issued from the console.

The man page for sudoers has a detailed listing of options for this file.

Using the same password for root as the user account

If you use a single user desktop, you might find it convenient to configure sudo, so you can use the same password to access root as you use for your regular account. To do this, select to be added to the Administration group during installation. To do it at later stage, or to add a different user, use the following procedure:

  1. Become the root user:

    $ su -
  2. Enter the password for the root account when prompted.

  3. To use your regular password for the root access, run:

    # usermod USERNAME -a -G groupname

    Replace USERNAME with your account name

  4. Log off and back on in order to have access to the group.

When sudo prompts you for a password, it expects your user password, not the root password.

Logging sudo commands

Each successful authentication using the sudo command is logged to the /var/log/messages file. For each authentication, the /var/log/secure file lists the user name and the command that was executed.

For additional logging, use the pam_tty_audit module to enable TTY auditing for specific users. TTY auditing prints the file name of the terminal connected to the standard I/O. To enable TTY auditing, add the following line to your /etc/pam.d/system-auth file:

session required pam_tty_audit.so disable=pattern enable=PATTERN

Replace PATTERN with a comma-separated list of users (and globs, if needed).

For example, the following command enables TTY auditing for the root user and disables it for all other users:

session required pam_tty_audit.so disable=* enable=root

Using the pam_tty_audit PAM module for auditing only records TTY input. As a result, when the audited user logs in, pam_tty_audit records the user’s exact keystrokes and saves them in /var/log/audit/audit.log. For more information, see the pam_tty_audit(8) manual page.

Warnings and caveats

You must use the user account you created following the installation process, at first boot, for daily use and the root account only for system administration. Avoid using root for any non-administration usage, since the account makes it easy to create security or data risks.

There are several potential risks to keep in mind when using the sudo command. You can avoid them by editing the /etc/sudoers configuration file using visudo command.

sudo timeout

By default, sudo stores the password for a five minute timeout period. Any subsequent uses of the command during this period will not prompt you for a password. This could be exploited by an attacker if you leave your workstation unattended and unlocked while still being logged in. You can change this behavior by adding the following line to the /etc/sudoers configuration file:

Defaults    timestamp_timeout=VALUE

Here, VALUE is the desired timeout length in minutes. Setting the value to 0 causes sudo to require a password every time.

If an account is compromised, an attacker can use sudo to open a new shell with administrative privileges.

Opening a new shell as a root user in this way allows an attacker administrative access for a theoretically unlimited period of time and bypasses the timeout period specified in the /etc/sudoers file. Using this method, the attacker does not need to provide a password for sudo again until the session ends.

Using sudo to access Docker

Docker has the ability to change the group ownership of the Docker socket to allow users added to the Docker group to be able to run Docker containers without having to execute the sudo or su command to become root.

Enabling access to the Docker daemon from non-root users is a problem from a security perspective. It is a security issue for Fedora, because if a user can talk to the Docker socket they can execute a command which gives them full root access to the host system. Docker has no auditing or logging built in, while sudo does.

It is recommended that sudo rules are implemented to permit access to the Docker daemon. This allows sudo to provide logging and audit functionality.

Run Docker using sudo

  1. Set up sudo as shown in Using sudo to assign administrator privileges.

  2. Create an alias for running the docker command by adding the following line to your ~/.bashrc file:

    alias docker="sudo /usr/bin/docker"

    When the user executes the docker command as non-root, sudo will be used to manage access and provide logging.

Using sudo without a password

You can enable root access without a password specified, allowing any process on your system to become root. Add the following line to your /etc/sudoers file:

user        ALL=(ALL)       NOPASSWD: /usr/bin/docker

This will allow user to access docker without a password.

For security reasons, it is recommended that you always use sudo with a password.