Linux sudo Command Secrets: 10 Tips for Increased Productivity and Security

sudo is a very powerful and commonly used command in Linux systems. It allows ordinary users to execute specific commands or programs as superuser (root). This prevents users from logging in directly to the root account, thereby improving system security and stability. However, did you know that the sudo command has many hidden functions and tricks? This article will introduce you to 10 tips for setting up sudo in Linux, so that you can better use sudo commands to complete various tasks.

sudo allows a user to execute commands specified by the security policy as root (or another user): it reads and parses /etc sudoers, finds the calling user and their permissions, and then prompts the calling user for a password ( Usually this is the user's password, but it can also be the target user's password (you can also use NOPASSWD to cancel password verification). After that, sudo creates a subprocess in which setuid() is called to switch to the target user next, which executes a shell or in The command given as argument in the subprocess above.
Below are ten /etc/sudoers file configurations to modify the behavior of the sudo command using Defaults entries.

sudo cat /etc/sudoers | less

1. Set the safe path

This is the path used for every command run using sudo, it has two importance:
Use
when the system administrator does not trust the sudo user to have a secure PATH environment variable To separate "root path" and "user path", only users defined by exempt_group are not affected by this setting.
To set it, add the line:

Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

2. Enable sudo on the TTY user login session

To enable calling sudo from a real tty, rather than via methods such as cron or cgi-bin scripts, add the following line:

Defaults requiretty

3. Run the sudo command using pty

Sometimes, an attacker can use sudo to run a malicious program (such as a virus or malware), which will again fork a background process that remains on the user's end device, even after the main program has completed execution.

To avoid this, you can configure sudo to only run other commands from psuedo-pty using the use_pty parameter, regardless of whether the I/O log is turned on, as follows:

Defaults use_pty1

4. Create Sudo log file

By default, sudo logs go through syslog(3). However, to specify a custom log file, use the logfile parameter, such as:

Defaults logfile="/var/log/sudo.log"

To log the hostname and four-digit year in a custom log file, use the log_host and log_year parameters respectively, as follows:

Defaults log_host, log_year, logfile="/var/log/sudo.log"

5. Record Sudo command input/output

The log_input and log_output parameters allow sudo to run commands in a pseudo tty and log all user input and all output sent to the screen.

The default I/O log directory is /var/log/sudo-io, and the session serial number, if any, is stored in this directory. You can specify a custom directory via the iolog_dir parameter.

Defaults log_input, log_output1

Supports some escape sequences, such as %{seq}, which expands to a monotonically increasing base 36 sequence number, such as 000001, where every two digits are used to form a new directory, e.g. 00/00/01, as shown in the following example:

[root@linuxprobe ~]# cd /var/log/sudo-io/
[root@linuxprobe sudo-io]# ll
total 8
drwx------ 3 root root 4096 Jan 12 18:58 00
-rw------- 1 root root 7 Jan 12 19:08 seq
[root@linuxprobe sudo-io]# cd 00/00/06/
[root@linuxprobe 06]# ls
log stderr stdin stdout timing ttyin ttyout
[root@linuxprobe 06]# cat log
1484219333:root:root::/dev/pts/0
/root
/bin/bash

6. Explain Sudo users

To teach the sudo user about password usage on the system, use the lecture parameter as shown below.

It has 3 possible values:

always – always talks about one user.

once – only used when the user executes the sudo command for the first time (used when no value is specified)

never – Never educate users.

Defaults lecture="always"

Additionally, you can set up a custom lecture file using the lecture_file parameter, typing the corresponding message into the file:

Defaults lecture_file="/path/to/file"

7. Display custom message when entering wrong sudo password

When the user enters an incorrect password, a specific message will be displayed on the command line. The default message is "sorry, try again", you can modify the message using the badpass_message parameter as follows:
Defaults badpass_message=”Password is wrong, please try again, thank you!”

8. Increase sudo password attempt limit

The parameter passwd_tries is used to specify the number of times the user attempts to enter the password. The default value is 3:

Defaults passwd_tries=5

9. Let Sudo enter a prompt when entering an incorrect password

Defaults insults

10. Learn more about Sudo configuration

http://blog.csdn.net/wh211212/article/details/52923673

The above is the detailed content of Linux sudo Command Secrets: 10 Tips for Increased Productivity and Security. For more information, please follow other related articles on the PHP Chinese website!