Privilege Manipulation with Sudo
Privilege Manipulation with Sudo starts with the sudoers file in /etc/. Root can share some or all rights with users. There are many things that you can do with the /etc/sudoers file. Most single user workstations or computers do not have a need to manipulate this file to a great extent. Here are some examples of what you can do in a multiuser environment.
When you open the sudoers file there is a warning that it should only be edited with visudo.
To edit the file:
The structure of the file
Defaults Section
Let’s start with the Defaults section, this can also be placed at the bottom of the sections, but in many distributions it is first. It can change the behavior of the whole environment or a single user or user alias.
If you want to insult your users because they haven’t typed in the root password in correctly you would put in (Yes, this is a real command):
One of the first things that you will encounter is
This resets the environment of the sudoers file and sets it back to “normal”. That way you can make changes in the file to suit yourself.
You can “comment out” any of the commands by typing # before the command.
Default password_timeout=15
This would give you 3 tries at a password before the attempt is logged, and give you 15 minutes before it expires.
Alias’ Section
This section is broken down into three sub-categories:
- Host Alias Section – Host names, IP Addresses and Network numbers
- User Alias Section – Account names, UIDs, and Groups
- Command Alias Section – sets of commands and full path names
Host Alias Section example:
Members of the Webservers group have access to server1 to server3.
User Alias Section example:
charles ALL=passwd, chown, chgrp, chmod
%wheel ALL=(ALL) NOPASSWD: ALL
Members of the Admin group are bob, carol, ted and alice. Charles needs to type in root’s password every time he uses chown, chgrp and chmod. The wheel group has all of root’s privileges without typing in a password.
Command Alias Section example:
Nice, pkill and kill require a password to execute.
Things to consider before you start
Debian, and its various other distributions such as Ubuntu, generally let you sudo without a password being needed. Unfortunately they also hide the root password. You should change root’s password before experimenting with the sudoers file. It is very easy to lock yourself out and not be able to get back in without a lot of trouble. To change the password:
Enter the new password twice and it will automatically update to the new one. Now you can become switch user to root if you have problems with your sudoers file.
In Conclusion
Sudoers is much more than just asking for a password. You can design elaborate structures with it for users and what they can and cannot do. The command is explained in detail in the man pages for sudoers. So, if you need more security than your distribution gives you now you know a bit more about how to manipulate the sudoers file to help get you peace of mind.