Performing administration tasks using sudo
This page has been converted from the Fedora Project Wiki and cleaned up for publishing here on the Fedora Docs Portal, but it has not yet been reviewed for technical accuracy. This means any information on this page may be outdated or inaccurate. Reviews for technical accuracy are greatly appreciated. If you want to help, see the README file in the source repository for instructions. |
How to perform tasks requiring root privileges without logging in as root.
What is sudo?
The sudo
command allows users to gain administrative or root access. When trusted users precede an administrative command with sudo
, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user.
Only users listed in the /etc/sudoers
configuration file are allowed to use the sudo
command. The command is executed in the user’s shell, not a root shell.
The syntax for the sudo command is as follows:
sudo COMMAND
Replace COMMAND
with the command to run as the root user.
How to use sudo
Using sudo to assign administrator privileges
Add users to the /etc/sudoers
configuration file to allow them to use the sudo
command. For these users, the sudo
command is run in the user’s shell instead of in a root shell. As a result, the root shell can be disabled for increased security.
The administrator can also allow different users access to specific commands using the sudo configuration. Administrators must use the visudo
command to edit the /etc/sudoers
configuration file.
To assign full administrative privileges to a user, type visudo
and add the following line to the user privilege section after replacing USERNAME
with the target user name:
USERNAME ALL=(ALL) ALL
This line allows the specified user to use sudo
from any host and execute any command.
To allow a user access to specific commands, use the following example after replacing USERS
with a target system group:
%USERS localhost=/usr/sbin/shutdown -h now
This command allows all members of the USERS
system group to issue the /sbin/shutdown -h
as long as the command is issued from the console.
The man page for sudoers
has a detailed listing of options for this file.
Using the same password for root as the user account
If you use a single user desktop, you might find it convenient to configure sudo
, so you can use the same password to access root as you use for your regular account. To do this, select to be added to the Administration group during installation. To do it at later stage, or to add a different user, use the following procedure:
-
Become the root user:
$ su -
-
Enter the password for the root account when prompted.
-
To use your regular password for the root access, run:
# usermod USERNAME -a -G groupname
Replace
USERNAME
with your account name -
Log off and back on in order to have access to the group.
When sudo prompts you for a password, it expects your user password, not the root password.
|
Logging sudo commands
Each successful authentication using the sudo
command is logged to the /var/log/messages
file. For each authentication, the /var/log/secure
file lists the user name and the command that was executed.
For additional logging, use the pam_tty_audit
module to enable TTY auditing for specific users. TTY auditing prints the file name of the terminal connected to the standard I/O. To enable TTY auditing, add the following line to your /etc/pam.d/system-auth
file:
session required pam_tty_audit.so disable=pattern enable=PATTERN
Replace PATTERN
with a comma-separated list of users (and globs, if needed).
For example, the following command enables TTY auditing for the root user and disables it for all other users:
session required pam_tty_audit.so disable=* enable=root
Using the pam_tty_audit
PAM module for auditing only records TTY input. As a result, when the audited user logs in, pam_tty_audit
records the user’s exact keystrokes and saves them in /var/log/audit/audit.log
. For more information, see the pam_tty_audit(8) manual page.
Warnings and caveats
You must use the user account you created following the installation process, at first boot, for daily use and the root account only for system administration. Avoid using root for any non-administration usage, since the account makes it easy to create security or data risks.
There are several potential risks to keep in mind when using the sudo
command. You can avoid them by editing the /etc/sudoers
configuration file using visudo
command.
sudo timeout
By default, sudo
stores the password for a five minute timeout period. Any subsequent uses of the command during this period will not prompt you for a password. This could be exploited by an attacker if you leave your workstation unattended and unlocked while still being logged in. You can change this behavior by adding the following line to the /etc/sudoers
configuration file:
Defaults timestamp_timeout=VALUE
Here, VALUE
is the desired timeout length in minutes. Setting the value to 0 causes sudo
to require a password every time.
If an account is compromised, an attacker can use sudo
to open a new shell with administrative privileges.
Opening a new shell as a root user in this way allows an attacker administrative access for a theoretically unlimited period of time and bypasses the timeout period specified in the /etc/sudoers
file. Using this method, the attacker does not need to provide a password for sudo
again until the session ends.
Using sudo to access Docker
Docker has the ability to change the group ownership of the Docker socket to allow users added to the Docker group to be able to run Docker containers without having to execute the sudo
or su
command to become root.
Enabling access to the Docker daemon from non-root users is a problem from a security perspective. It is a security issue for Fedora, because if a user can talk to the Docker socket they can execute a command which gives them full root access to the host system. Docker has no auditing or logging built in, while sudo
does.
It is recommended that sudo rules are implemented to permit access to the Docker daemon. This allows sudo
to provide logging and audit functionality.
Run Docker using sudo
-
Set up
sudo
as shown in Using sudo to assign administrator privileges. -
Create an alias for running the docker command by adding the following line to your
~/.bashrc
file:alias docker="sudo /usr/bin/docker"
When the user executes the docker command as non-root, sudo will be used to manage access and provide logging.
Using sudo without a password
You can enable root
access without a password specified, allowing any process on your system to become root
. Add the following line to your /etc/sudoers
file:
user ALL=(ALL) NOPASSWD: /usr/bin/docker
This will allow user
to access docker without a password.
For security reasons, it is recommended that you always use sudo with a password.
|