Configuring Sudo, the proper way

A very useful application for Linux and BSD systems is the sudo application. This allows a user to execute a root task without being logged in as root. There are some security concerns when this is not configured correctly. Fortunately most distributions have this enabled only for the ‘sudo’ usergroup. But in some cases you want sudo to merge into your environment, instead of having to change your environment for sudo.

How does it work?

If you are logged in as a regular user and want to execute a root task, simply enter ‘sudo’ followed by the command, or ‘sudo -s’ to open a root shell. Here are some examples:

sudo apt-get update
sudo ifconfig
sudo cat /etc/passwd

When entering the command, it asks for YOUR password. So you can perform root tasks without knowing the root password. You can even change the root password this way!

If your account is not allowed to use ‘sudo’, you’ll simply get the following error message after entering the password:

user is not in the sudoers file.  This incident will be reported.

How to configure sudo

Editing the ‘sudoers’ file can configure Sudo. You can edit this by simply entering the following command:

visudo

In some cases it might open in a different editor than you are used to, ‘vi’ for example. I prefer the ‘nano’ text editor. Assuming you’ve installed it, you can find its location with ease:

whereis nano

It’s mostly located in /bin. To edit the ‘sudoers’ file in nano, enter these two commands:

export EDITOR=/bin/nano
visudo

if you prefer a different editor, specify its location instead.

To save the configuration, simply save your changes and exit the editor. In case of ‘nano’ this is done by pressing CTRL + X.

Configuring sudo

The default ‘sudoers’ configuration file will look similar to this:

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL) ALL
# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d

The part where you have to pay attention to are the ALL=(ALL) ALL lines. These specify the access. You can add an entry for each user, or for each usergroup by putting a %-sign in front of the name. Delete all those lines, except the other ones starting with ‘Defaults’.

Close the editor now, saving changes.

We are going to use a usergroup who will be able to use ‘sudo’. If you have already created such a group and added the users to it, you can skip this part.

In this example I will create a usergroup called ‘admins’.

groupadd admins

Now adding the users that should be able to use ‘sudo’ to that group. First I get the list of usergroups for this user:

groups roy

Now set the membership of the ‘admins’ group to the primary group:

usermod -G admins roy

if you have any other groups to assign, use this instead:

usermod -G admins -g group1,group2 roy

Note: Some distributions switch the function of -G and -g, refer to the man page of your distribution:

man usermod

Now we will configure sudo to only accept sudo logins from the ‘admins’ group.

visudo

Assuming that you have cleared all lines, except for the ‘default’ lines, add this line to allow the ‘admins’ group to use sudo:

%admins ALL=(ALL) ALL

Now save the file and close the editor. The settings have now been saved.

Troubleshooting

Q. I am getting a command not found when entering the sudo command.
A. Sudo is not installed.

Q. I am getting a command not found when entering the ‘groupadd’ or ‘usermod’ command.
A. Enter the commands as /usr/sbin/groupadd and /usr/sbin/usermod. If these also fail, use the ‘whereis’ command to look for the location of these programs.

 Security notice

Just like I said before, ‘sudo’ is a very powerful tool. Always keep in mind that the strongest point on a chain is its weakest spot. Always make sure that each user with access to ‘sudo’ has a strong password. And if users have SSH keys to log in remotely without a password, have them saveguard those keys at all cost!

Leave a Reply

Your email address will not be published. Required fields are marked *