For the best web experience, please use IE11+, Chrome, Firefox, or Safari

How does Sudo work on Linux/Unix for Privilege management?

Sudo allows regular users to execute commands with elevated privileges. It is a great way to temporarily grant administrative rights to users, without sharing the root account credentials. But how does sudo management really work? What best practices must you follow before adding a user to sudo? Let’s find out.
How does Sudo work on Linux/Unix for Privilege management?

What is sudo in Linux?

There are two ways to elevate your privileges on Linux/Unix. You can either log in as the root or superuser, or you can use sudo. The former is not recommended, as it violates the principle of least privilege. The latter is a more secure approach, as it allows for granular access control – and individual accountability.

Sudo is short for superuser do. It’s a tool that elevates a user’s privileges to execute sensitive commands, e.g. installing or updating a package, disabling a network interface, performing a restart, stopping the firewall daemon or modifying the crontab. The sudo utility is available across all Linux distributions, including Ubuntu, Debian, RedHat Enterprise and Fedora.

What is sudo management?

Sudo management is a technique to restrict and manage privileged access, using sudo configuration files. Administrators can either use a single configuration file (/etc/sudoers), or create multiple per-user configuration files inside the /etc/sudoers.d directory.

These configuration files contain rules that govern which users can execute which commands with root privileges. They also contain other configurable parameters, like whether to require a password for authentication, a list of applicable hostnames and networks, and where to report incorrect password attempts

What does the sudo actually do?

Adding the sudo keyword before a command instructs the operating system to execute it as the root user. Here’s how a typical sudo command is run:

  • Read the /etc/sudoers file, and any files in the /etc/sudoers.d directory to retrieve the permissions of the user executing the command
  • If the permissions allow the user to run the entered command, continue. Otherwise, abort
  • If configured, ask the user for a password
  • Create a new child process
  • Inside the child process, invoke the given command as the root user

How do I add a user to sudo in Linux?

To add a user to sudo, you can either edit the /etc/sudoers file directly, or use the usermod utility, which comes pre-installed on most Linux distributions. Here’s how you can do it using usermod:
  1. Create a new account using the following command:
  2.   sudo adduser alex

    Follow on-screen prompts to set the password and other information for the user.

  3. Run this command to add the user to the list of sudoers.
  4.   usermod -aG sudo alex

That’s it. The user has been granted sudo privileges. In the next section, we will talk about assigning the relevant permissions to the user.

What is Linux privilege management?

Linux privilege management is a means to protect security-critical assets and operations from unauthorized access. It ensures that only the required people can interact with the root file system, kernel and core services.

Sudo configuration files are a good way to implement privilege access management (PAM) in Linux. Through rules defined within these files, administrators can assign granular privileges to users and user groups. For example, they can grant a production engineer the rights to restart a core service using sudo. Or they can create a user group for network engineers, and allow them to execute networking related commands as the super-user.

Let’s look at a few sample rules:
  1. To let a user named “alex” restart the postgres service as the root user, add the following entry to the sudo configuration file:
  2.   alex ALL=(ALL) /bin/systemctl restart postgresd

  3. To allow Alex to execute a list of commands, use this syntax:
  4.   alex ALL=(ALL) command1, command2, command3

  5. To allow a group named sysadmins to assume root privileges:
  6.   %sysadmins ALL=(ALL) ALL

Assigning user-level privileges using sudo ensures that nobody has more permissions than they need.

What is the difference between su and sudo commands?

The su command in Linux is used to switch to a different user account. For example, if you enter the command su bob, you will be prompted for Bob’s password. If you enter the correct password, you will switch over to Bob’s account.

If you don’t specify a username after the keyword su, it is assumed to be root, and you are prompted for the root user password. Since the commands sudo and su have overlapping functionalities and similar syntax, Linux users are often confused about their usage.

Both allow regular users to assume root privileges. Sudo does it by temporarily granting those privileges on a per-command or per-user basis, whereas su does it by letting a regular user be the root user, whenever needed.

It’s considered a best practice to never use su to grant root privileges, as sharing root credentials is not a good idea. Instead, use sudo to assign bare-minimum permissions to only the required users, as and when necessary.

Security best practices with sudo

Sudo is undeniably a great tool for Unix privilege management. However, to stay safe, it’s recommended to follow certain best practices while granting sudo rights.

Use multiple sudo configuration files

Instead of putting all configurations inside a single /etc/sudoers file, it’s recommended to create multiple configuration files, on a per-user or per-application basis. This simplifies the process of defining, editing and managing privileges.

Don’t use the ALL keyword while granting privileges

The ALL keyword grants all root privileges to a user. This violates the principle of least privilege, and leaves your critical infrastructure susceptible to privilege escalation attacks. Instead, specify a list of commands/operations that the user needs to perform their daily activities.

Don’t allow unlimited password-less execution

The PASSWD keyword allows you to define a list of commands that can be run with sudo, without a password. You can also specify ALL as the value for this keyword, which results in the user never being prompted for a password. To decrease the chances of unauthorized access, never set the PASSWD field to ALL.

Configure a suitable sudo password prompt timeout

The sudo utility remembers your password for a certain duration. During this duration, you can execute sudo commands without getting a password prompt. By default, this duration is five minutes. Depending on your security policy, you can choose a different duration by adding this line to your configuration file:

    Defaults timestamp_timeout= [add duration here in minutes]

Log sudo activity to a different file

By default, sudo creates logs in a file that also contains messages from other system services. It’s recommended to configure sudo to log to a different file. Add the following line to your sudo configuration file to do so:

    Defaults logfile=/var/log/sudologs.log