Sudo
From ArchWiki
Article summary |
---|
An overview of the popular privilege escalation utility. |
Available in languages |
English |
Français |
Italiano |
Русский |
简体中文 |
Türkçe |
Related articles |
su |
Sudo (su "do") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.[1]
Contents |
Rationale
Sudo is a secure alternative to the traditional su command. Many times the user utilizes su (substitute user) to gain root priviledges. Generally, it is considered unwise to login as root -- the superuser -- for extended periods of time. The root user enjoys complete and absolute control over the entire system, but at great risk! Simple typos can easily render a system unusable, and any applications run as root share this unfettered access.
Rather, sudo grants temporary privilege escalation for a single command (whether as root or another user); returning to the unprivileged state after completion, and rendering the system safe from unintended consequences. Additionally, sudo logs all commands and failed access attempts for security auditing.
Installation
To install sudo:
# pacman -Sy sudo
By default, users will not be allowed to run sudo. See #Configuration for instructions.
Usage
With sudo installed and configured, users are able to prefix commands with sudo to run said command with superuser (or other) privileges. For example:
$ sudo pacman -Syu
See the sudo manual for more information.
Configuration
The configuration file for sudo is /etc/sudoers. This file should not be edited directly! Instead, users must run the command visudo as root, which opens a temporary copy of the configuration file in $EDITOR. (If uncomfortable with vi (default), try setting EDITOR=nano first.)
# visudo
When the file is saved, visudo will double-check the file for syntax errors before overwriting the existing /etc/sudoers file. This safety feature exists because sudo will be rendered unusable if the configuration file contains errors.
To allow a user to gain full root privileges when he/she precedes a command with "sudo", add the following line:
USER_NAME ALL=(ALL) ALL
Allow a user sudo access from the local machine only:
USER_NAME HOSTNAME=(ALL) ALL
Allow members of group wheel sudo access requiring no password:
%wheel ALL=(ALL) NOPASSWD: ALL
where USER_NAME is the user name of the individual.
A detailed sudoers example can be found here. Otherwise, see the sudoers manual for detailed information.
Password timeout
Users may wish to change the default timeout before the password expires. This is accomplished by adding following to /etc/sudoers (visudo) for example:
Defaults:USER_NAME timestamp_timeout=20
where the password expires for user USER_NAME if unused for over 20 minutes.
Tips and tricks
Enabling tab-completion
Tab-completion, by default, will not work when a user is initially added to the sudoers file. For example, normally john only needs to type:
fire<TAB>
and the shell will complete the command for him as:
firefox
If, however, john is added to the sudoers file and he types:
sudo fire<TAB>
the shell will do nothing.
To enable tab-completion with sudo, add the following to your ~/.bashrc:
complete -cf sudo
Environment variables
If you have a lot of environment variables, or you export your proxy settings via export http_proxy="...", when using sudo these variables do not get passed to the root account unless you run sudo with the -E option.
$ sudo -E pacman -Sy
Because of this you may wish to add an alias in ~/.bashrc:
alias sudo="sudo -E"
Another way of fixing this would be to add in /etc/sudoers:
Defaults !env_reset
If you want to just pass *_proxy variables, add the following:
Defaults env_keep += "ftp_proxy http_proxy https_proxy no_proxy"
Insults
Users can configure sudo to display clever insults when an incorrect password is entered instead of printing the default "wrong password" message. Find the Defaults line in /etc/sudoers and append "insults" after a comma to existing options. The final result might look like this:
#Defaults specification Defaults insults
To test, type sudo -K to end the current session a let sudo ask for the password again.
Root password
Users can configure sudo to ask for the root password instead of the user password by adding "rootpw" to the Defaults line in /etc/sudoers:
Defaults timestamp_timeout=0,rootpw
Disable root login
With sudo installed and configured, users may wish to disable the root login. Without root, attackers must first guess a user name configured as a sudoer as well as the user password.
Ensure a user is properly configured as a sudoer before disabling the root account!
The account can be locked via passwd:
# passwd -l root
A similar command unlocks root.
$ sudo passwd -u root
Alternatively, edit /etc/shadow and replace the root's encrypted password with "!":
root:!:12345::::::
To enable root login again:
$ sudo passwd root
kdesu
kdesu may be used under KDE to launch GUI applications with root privileges. It is possible that by default kdesu will try to use su even if the root account is disabled. Fortunately one can tell kdesu to use sudo instead of su. Create/edit the file /usr/share/config/kdesurc:
[super-user-command] super-user-command=sudo