Sudo

From ArchWiki
Jump to: navigation, search

Related articles

sudo allows a system administrator to delegate authority to give certain users—or groups of users—the ability to run commands as root or another user while providing an audit trail of the commands and their arguments.

Sudo is an alternative to su for running commands as root. Unlike su, which launches a root shell that allows all further commands root access, sudo instead grants temporary privilege escalation to a single command. By enabling root privileges only when needed, sudo usage reduces the likelihood that a typo or a bug in an invoked command will ruin the system.

Sudo can also be used to run commands as other users; additionally, sudo logs all commands and failed access attempts for security auditing.

Installation

Install the sudo package.

Usage

To begin using sudo as a non-privileged user, it must be properly configured. See #Configuration.

To use sudo, simply prefix a command and its arguments with sudo and a space:

$ sudo cmd

For example, to use pacman:

$ sudo pacman -Syu

See man sudo for more information.

Configuration

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Move #Defaults skeleton here, and create an intro discussing Defaults, perhaps with a table that lists common settings (Discuss in Talk:Sudo#)

See man sudoers for more information, such as configuring the password timeout.

View current settings

Run sudo -ll to print out the current sudo configuration, or sudo -lU user for a specific user.

Using visudo

The configuration file for sudo is /etc/sudoers. It should always be edited with the visudo command. visudo locks the sudoers file, saves edits to a temporary file, and checks that file's grammar before copying it to /etc/sudoers.

Warning:
  • It is imperative that sudoers be free of syntax errors! Any error makes sudo unusable. Always edit it with visudo to prevent errors.
  • From man 8 visudo: Note that this can be a security hole since it allows the user to execute any program they wish simply by setting VISUAL or EDITOR.

The default editor for visudo is vi. sudo from the core repository is compiled with --with-env-editor by default and honors the use of the VISUAL and EDITOR variables. EDITOR is not used when VISUAL is set.

To establish nano as the visudo editor for the duration of the current shell session, set and export the EDITOR variable before calling visudo.

# EDITOR=nano visudo

To change the editor permanently, see Environment variables#Per user. To change the editor of choice permanently system-wide only for visudo, add the following to /etc/sudoers (assuming nano is your preferred editor):

# Reset environment by default
Defaults      env_reset
# Set default EDITOR to nano, and do not allow visudo to use EDITOR/VISUAL.
Defaults      editor=/usr/bin/nano, !env_editor

Example Entries

To allow a user to gain full root privileges when he/she precedes a command with sudo, add the following line:

USER_NAME   ALL=(ALL) ALL

To allow a user to run all commands as any user but only the machine with hostname HOST_NAME:

USER_NAME   HOST_NAME=(ALL) ALL

To allow members of group wheel sudo access:

%wheel      ALL=(ALL) ALL

To disable asking for a password for user USER_NAME:

Defaults:USER_NAME      !authenticate

Enable explicitly defined commands only for user USER_NAME on host HOST_NAME:

USER_NAME HOST_NAME=/usr/bin/halt,/usr/bin/poweroff,/usr/bin/reboot,/usr/bin/pacman -Syu
Note: the most customized option should go at the end of the file, as the later lines overrides the previous ones. In particular such a line should be after the %wheel line if your user is in this group.

Enable explicitly defined commands only for user USER_NAME on host HOST_NAME without password:

USER_NAME HOST_NAME= NOPASSWD: /usr/bin/halt,/usr/bin/poweroff,/usr/bin/reboot,/usr/bin/pacman -Syu

A detailed sudoers example is available at /usr/share/doc/sudo/examples/sudoers. Otherwise, see the sudoers manual for detailed information.

Sudoers default file permissions

The owner and group for the sudoers file must both be 0. The file permissions must be set to 0440. These permissions are set by default, but if you accidentally change them, they should be changed back immediately or sudo will fail.

# chown -c root:root /etc/sudoers
# chmod -c 0440 /etc/sudoers

Tips and tricks

Disable per-terminal sudo

Warning: This will let any process use your sudo session.

If you are annoyed by sudo's defaults that require you to enter your password every time you open a new terminal, disable tty_tickets:

Defaults !tty_tickets

Environment variables

If you have a lot of environment variables, or you export your proxy settings via export http_proxy="...", when using sudo these variables do not get passed to the root account unless you run sudo with the -E option.

$ sudo -E pacman -Syu

The recommended way of preserving environment variables is to append them to env_keep:

/etc/sudoers
Defaults env_keep += "ftp_proxy http_proxy https_proxy no_proxy"

Passing aliases

If you use a lot of aliases, you might have noticed that they do not carry over to the root account when using sudo. However, there is an easy way to make them work. Simply add the following to your ~/.bashrc or /etc/bash.bashrc:

alias sudo='sudo '

Root password

Users can configure sudo to ask for the root password instead of the user password by adding targetpw (target user, defaults to root) or rootpw to the Defaults line in /etc/sudoers:

Defaults targetpw

To prevent exposing your root password to users, you can restrict this to a specific group:

Defaults:%wheel targetpw
%wheel ALL=(ALL) ALL

Disable root login

Users may wish to disable the root login. Without root, attackers must first guess a user name configured as a sudoer as well as the user password. See for example Ssh#Deny.

Warning:
  • Be careful, you may lock yourself out by disabling root login. Sudo is not automatically installed and its default configuration allows neither passwordless root access nor root access with your own password. Ensure a user is properly configured as a sudoer before disabling the root account!
  • If you have changed your sudoers -file to use rootpw as default, then do not disable root login with any of the following commands!
  • If you are already locked out, see Password recovery for help.

The account can be locked via passwd:

# passwd -l root

A similar command unlocks root.

$ sudo passwd -u root

Alternatively, edit /etc/shadow and replace the root's encrypted password with "!":

root:!:12345::::::

To enable root login again:

$ sudo passwd root

gksu

To set gksu to use sudo by default, run:

$ gconftool-2 --set --type boolean /apps/gksu/sudo-mode true

kdesu

kdesu may be used under KDE to launch GUI applications with root privileges. It is possible that by default kdesu will try to use su even if the root account is disabled. Fortunately one can tell kdesu to use sudo instead of su. Create/edit the file ~/.config/kdesurc (or ~/.kde4/share/config/kdesurc for the kde4 version of kdesu):

[super-user-command]
super-user-command=sudo

or use the following command (use kwriteconfig for the kde4 version of kdesu):

$ kwriteconfig5 --file kdesurc --group super-user-command --key super-user-command sudo

Alternatively, install kdesudoAUR, which has the added advantage of tab-completion for the command following.

Harden with Sudo Example

Let us say you create 3 users: admin, devel, and joe. The user "admin" is used for journalctl, systemctl, mount, kill, and iptables; "devel" is used for installing packages, and editing config files; and "joe" is the user you log in with. To let "joe" reboot, shutdown, and use netctl we would do the following:

Edit /etc/pam.d/su and /etc/pam.d/su-1 Require user be in the wheel group, but do not put anyone in it.

#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth            required        pam_wheel.so use_uid
auth            required        pam_unix.so
account         required        pam_unix.so
session         required        pam_unix.so

Limit SSH login to the 'ssh' group. Only "joe" will be part of this group.

groupadd -r ssh
gpasswd -a joe ssh
echo 'AllowGroups ssh' >> /etc/ssh/sshd_config

Restart sshd.service.

Add users to other groups.

for g in power network ;do ;gpasswd -a joe $g ;done
for g in network power storage ;do ;gpasswd -a admin $g ;done

Set permissions on configs so devel can edit them.

chown -R devel:root /etc/{http,openvpn,cups,zsh,vim,screenrc}
Cmnd_Alias  POWER       =   /usr/bin/shutdown -h now, /usr/bin/halt, /usr/bin/poweroff, /usr/bin/reboot
Cmnd_Alias  STORAGE     =   /usr/bin/mount -o nosuid\,nodev\,noexec, /usr/bin/umount
Cmnd_Alias  SYSTEMD     =   /usr/bin/journalctl, /usr/bin/systemctl
Cmnd_Alias  KILL        =   /usr/bin/kill, /usr/bin/killall
Cmnd_Alias  PKGMAN      =   /usr/bin/pacman
Cmnd_Alias  NETWORK     =   /usr/bin/netctl
Cmnd_Alias  FIREWALL    =   /usr/bin/iptables, /usr/bin/ip6tables
Cmnd_Alias  SHELL       =   /usr/bin/zsh, /usr/bin/bash
%power      ALL         =   (root)  NOPASSWD: POWER
%network    ALL         =   (root)  NETWORK
%storage    ALL         =   (root)  STORAGE
root        ALL         =   (ALL)   ALL
admin       ALL         =   (root)  SYSTEMD, KILL, FIREWALL
devel	    ALL         =   (root)  PKGMAN
Joe	    ALL         =   (devel) SHELL, (admin) SHELL 

With this setup, you will almost never need to login as the Root user.

"Joe" can connect to his home WiFi.

sudo netctl start home
sudo poweroff

"Joe" can not use netctl as any other user.

sudo -u admin -- netctl start home

When "joe" needs to use journalctl or kill run away process he can switch to that user

sudo -i -u devel
sudo -i -u admin

But "joe" cannot switch to the root user.

sudo -i -u root

If "joe" want to start a gnu-screen session as admin he can do it like this:

sudo -i -u admin
admin% chown admin:tty `echo $TTY`
admin% screen

Configure sudo using drop-in files in /etc/sudoers.d

sudo parses files contained in the directory /etc/sudoers.d/. This means that instead of editing /etc/sudoers, you can change settings in standalone files and drop them in that directory. This has two advantages:

  • There is no need to edit a sudoers.pacnew file;
  • If there is a problem with a new entry, you can remove the offending file instead of editing /etc/sudoers.

The format for entries in these drop-in files is the same as for /etc/sudoers itself. To edit them directly, use visudo -f /path/to/file. See the "Including other files from within sudoers" section of man sudoers for details.

The files in /etc/sudoers.d/ directory are parsed in lexicographical order, file names containing . or ~ are skipped. To avoid sorting problems, the file names should begin with two digits, e.g. 01_foo.

Note: The order of entries in the drop-in files is important, make sure that the statements do not override themselves.

Troubleshooting

SSH TTY Problems

Merge-arrows-2.pngThis article or section is a candidate for merging with #Configuration.Merge-arrows-2.png

Notes: please use the second argument of the template to provide more detailed indications. (Discuss in Talk:Sudo#)

SSH does not allocate a tty by default when running a remote command. Without a tty, sudo cannot disable echo when prompting for a password. You can use ssh's -tt option to force it to allocate a tty (or -t twice).

The Defaults option requiretty only allows the user to run sudo if they have a tty.

# Disable "ssh hostname sudo <cmd>", because it will show the password in clear text. You have to run "ssh -t hostname sudo <cmd>".
#
#Defaults    requiretty

Permissive umask

Merge-arrows-2.pngThis article or section is a candidate for merging with #Configuration.Merge-arrows-2.png

Notes: please use the second argument of the template to provide more detailed indications. (Discuss in Talk:Sudo#)

Sudo will union the user's umask value with its own umask (which defaults to 0022). This prevents sudo from creating files with more open permissions than the user's umask allows. While this is a sane default if no custom umask is in use, this can lead to situations where a utility run by sudo may create files with different permissions than if run by root directly. If errors arise from this, sudo provides a means to fix the umask, even if the desired umask is more permissive than the umask that the user has specified. Adding this (using visudo) will override sudo's default behavior:

Defaults umask = 0022
Defaults umask_override

This sets sudo's umask to root's default umask (0022) and overrides the default behavior, always using the indicated umask regardless of what umask the user as set.

Defaults skeleton

Merge-arrows-2.pngThis article or section is a candidate for merging with #Configuration.Merge-arrows-2.png

Notes: please use the second argument of the template to provide more detailed indications. (Discuss in Talk:Sudo#)

The authors site has a list of all the options that can be used with the Defaults command in the /etc/sudoers file.

See [1] for a list of options (parsed from the version 1.8.7 source code) in a format optimized for sudoers.