Secure Linux With the Sudoers File

Published:25 July 2022 - 7 min. read

Nicholas Xuan Nguyen Image

Nicholas Xuan Nguyen

Read more tutorials by Nicholas Xuan Nguyen!

In Linux, the sudoers file is where you grant users elevated privileges. By default, only the root user has these privileges. But, in some cases, it may be necessary for regular users to have elevated privileges as well.

The sudoers file is primarily for system administrators to manage and can be a bit daunting for newcomers. Don’t let that discourage you! With patience and attention to detail, anyone can learn to manage the sudoers file effectively.

This guide will teach you how to edit the sudoers and give users elevated privileges securely. You will also learn some best practices to keep in mind when working with sudoers. Don’t go anywhere; get ready to take your Linux user privileges management to the next level!

Prerequisites

This tutorial will be a hands-on demonstration. If you’d like to follow along, be sure you have a Linux system with a regular user account that you can use. This guide uses a Ubuntu 20.04 system, but any other Linux distribution should also work.

The Linux Sudoers File Overview

The sudoers file lives in the /etc/sudoers, a plain text file containing the policies on what privileges a user gains when executing the sudo command. Before going any further, it is essential to familiarize yourself with the sudoers file default contents and sections.

The screenshot below shows the default sudoers file contents on Ubuntu 20.04. The sudoers file default contents may differ between Linux distros.

The default sudoers file
The default sudoers file

The following is a quick run down of the sections in the sudoers file.

Defaults Section

Sudoers file Defaults entries
  • Defaults env_reset - Executing commands with sudo creates a new environment with minimal or default environment variables. In most Linux distros, sudo will load the environment variable in the /etc/environment file.
  • Defaults mail_badpass – This line triggers sending an email to the root when a user enters a wrong password with sudo.
  • Defaults secure_path - This line defines the PATH environment variable that sudo uses instead of the user’s PATH environment.

User and Group Sudo Privileges

This line defines the sudo privileges for specific users or members of groups.

Sudoers file privilege policies
Sudoers file privilege policies

Note: The % at the beginning indicates that the policy applies to the group members.

  • The first field defines that his policy applies to the root user and the members of the admin and sudo groups.
  • The first ALL means that the rule applies to all hosts.
  • The second ALL allows the root account to run commands as any user.
  • The third ALL allows the root account to run commands as any group.
  • The last ALL means that this policy applies to command commands.

Include Directives

At the end of the file, you will see a line that looks like a comment but is not. The lines starting with #include and #includedir are called include directives.

Sudoers files #include directives
Sudoers files #include directives

#includedir /etc/sudoers.d – This line tells sudo to look in the /etc/sudoers.d directory for any additional configuration files.

Editing the Sudoers File with the Right Tool

The sudoers file is a plain text file that you can open with your preferred text editor—but doing so is not advisable. Why? Because the sudoers file’s contents follow specific syntax, a regular text editor has no safeguards to prevent you from messing up the sudoers file.

Improper configuration can lead to security problems; worst, every user may lose the ability to elevate their privileges.

What’s the correct tool? — visudo. This tool opens the sudoers file in the default text editor. Additionally, visudo prevents concurrent editing and performs error-checking before exiting.

In Ubuntu 20.04, the default editor is vim, but you can set an alternative editor, such as nano, if you prefer.

1. Open a terminal session or SSH into your Linux machine.

2. Run the below command to list the available text editors on your computer.

sudo update-alternatives --config editor

As you can see, the current default editor is selection 5, which is vim. Suppose you prefer to keep the default, press Enter. If you prefer another editor, press the corresponding selection number, such as 0 for nano, and press Enter.

Setting the default sudoers file editor
Setting the default sudoers file editor

3. Now, run the below command to open the sudoers file in the default editor.

sudo visudo

If the sudoers file is open in another session, you will see the below error, and visudo will prevent you from opening the file. This way, no two users can make conflicting changes at the same time.

visudo: /etc/sudoers busy, try again later

4. Once the sudoers file is open, deliberately cause a syntax error by deleting the last instance of ALL, then save and exit the editor.

Editing the sudoers file to cause a syntax error
Editing the sudoers file to cause a syntax error

5. visudo will warn you that there’s a syntax error and asks, “What now?”. At this point, you have three options.

  • Type e and press Enter to re-edit the file. This option lets you correct the sudoers file in the editor again.
  • Type x and press Enter to discard the changes and exit visudo.
  • Type Q, press Enter to ignore the error, save the sudoers file, and exit visudo. Don’t choose this option unless you are sure of the consequences.

In this example, press x to discard the changes and retain the old sudoers file contents.

Handling the visudo sudoers file syntax error
Handling the visudo sudoers file syntax error

As you can see, it would be difficult to mess up the sudoers file with visudo permanently.

Granting Specific Privileges

Directly making changes to the sudoers file is doable but can become unmanageable as the policies and rules grow. The better alternative is to use include directives instead. This way, you can create multiple configuration files containing different custom policies and rules.

Suppose you want to give a group of users to run specific networking commands as root. To do so, you would need to create a file in the /etc/sudoers.d directory containing the custom rules for that group.

1. First, create the group you want that will be the target of the custom rule. In this example, the group’s name is netadmin.

sudo addgroup netadmin
netadmin
netadmin

2. Next, create a regular user account and make it a member of the netadmin group.

sudo adduser ata
sudo usermod -aG netadmin ata
id ata
Creating a new regular user and adding as a member of the netadmin group
Creating a new regular user and adding as a member of the netadmin group

3. Now, create a new sudoers file called /etc/sudoers.d/networking and open it with visudo.

sudo visudo -f /etc/sudoers.d/networking

4. Copy and paste the following lines into the networking file.

Cmnd_Alias     CAPTURE = /usr/sbin/tcpdump
Cmnd_Alias     SERVERS = /usr/sbin/apache2ctl, /usr/bin/htpasswd
Cmnd_Alias     NETALL = CAPTURE, SERVERS
%netadmin ALL=NETALL

The Cmnd_Alias lines are creating aliases for the commands. In this example, you assign the alias CAPTURE for the tcpdump command and SERVERS for the apache2ctl and htpasswd commands. Think of these lines as grouping commands together and giving them a collective name.

The last line specifies that members of the netadmin group can run any command in the NETALL alias as root. This line must come after the Cmnd_Alias lines.

Save and close the networking file when you are finished.
Save and close the networking file when you are finished.

5. To test the ata account’s sudo privileges, switch to the ata user account.

su - ata
Switching user accounts
Switching user accounts

6. Now, run one of the commands that the user has sudo access, such as tcpdump.

sudo tcpdump -c 5

As you can see below, the sudo command should work because the account has access to run it.

Trying sudo access
Trying sudo access

7. Next, test and confirm that the account cannot run any other commands that are not in the custom rule, like lshw.

sudo lshw

As a result, the sudo attempt fails because your account does not have the privilege to run the command as root.

sudo failed
sudo failed

8. Lastly, switch back to your account by running the below command.

exit

Hardening Security Using the passwd_tries Option

You can’t let anyone try entering a wrong password with sudo as often as they want—that would be an open invite for brute-force or password spraying attacks. As a preventive measure, you must set the maximum number of retries by adding the passwd_tries option inside the sudoers file.

1. First, open the custom sudoers file with visudo.

sudo visudo -f /etc/sudoers.d/networking

2. Add the below line to the end of the sudoers file. This line will allow up to four incorrect sudo password attempts before preventing any more attempts.

Defaults passwd_tries=4

The custom sudoers files should now look the same as the screenshot below. Ensure to save the file and exit the editor.

Adding the passwrd_tries option
Adding the passwrd_tries option

3. Now, switch to the ata user account and rerun the tcpdump command as root. But this time, enter an incorrect password until the password prompt ends.

sudo tcpdump

After your fourth attempt with a wrong password, you see that sudo stops you from entering another password for the fifth time.

Limiting incorrect sudo password tries
Limiting incorrect sudo password tries

Conclusion

In this tutorial, you learned the basics of the default sudoers file. You created custom rules in a separate sudoers file for granting custom privileges. Creating and applying custom rules is more secure than adding users to the sudo group.

You also learned how to apply the passwd_tries option to specify how many incorrect passwords attempts a user can make before sudo terminates the authentication attempt. You can increase granularly control which users have access to what commands.

Don’t stop here! You can do much more with the sudoers file, like adding a lecture file to spice up the user sudo experience. Thank you for reading, and have fun securing your Linux system!

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!