Securing root access by configuring SUDO

  In previous blog posts, we have enabled and used the root account to make changes to important *nix configuration files to tweak the system to perform in a manner more to our liking. For example in preventing the mounting of un-needed Windows volumes while using Mac OS X. https://www.catracing.org/hendrb/?p=32 (Suppressing auto mount of volumesin OS X with /etc/fstab). I mentioned that using the root account was not an accepted best practice. So what is considered “best practice”? How are you supposed run commands, or edit important system files that require root access?

Also in the previous article I introduced you to the command su, Which coincidently stands for “Switch User”, not “superuser”, don’t believe me?  SU will allow me to switch to any user on the system, and inherit the rights of that user, not specifically “SUPER USER” access. In todays article I will introduce you to another command, sudo. Or switch user do. (In Windows this would be equivalent to the RUN AS option).

Lets first take a look at sudo in an OS X terminal session. I will open up the file /etc/hosts in vi as a normal user. (Using the absolute path)

 prompt$ vi /etc/hosts

 ##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##

127.0.0.1       localhost
255.255.255.255 broadcasthost
::1             localhost
fe80::1%lo0     localhost
~                                                                              
~                                                                              
~                                                                              
~                                                                              
~                                                                              
~

“/etc/hosts” [readonly] 17L, 445C

Notice that the file was opened as read only?, this is because my normal user account does not have access to write to the /etc/hosts file. While we could su to root, then issue the vi /etc/hosts command, this is considered poor practice, and frowned upon. Best practice stipulates that you should always login with an account with the least amount of privileges, and use a privileged account only when needed (Some system admins actually recommend that you disable the ability to login with the root account anywhere but from the actual server console.) This not only protects your workstation from hackers getting root level access, but protects you from doing something stupid. Like accidently deleting important files or directories.

Let’s take a look at CentOS, and discuss how to configure SUDO.

$ sudo vi/etc/hosts

user Is not in the sudoers file. This incident will be reported!

Uh Oh!! What did we do? No need to panic, or plan on leaving the country! This is completely normal. We have not yet configured the system to allow your account to use the SUDO command.

In order to configure sudo, we need to edit a file called /etc/sudoers. However there is a catch. You do not want to just edit the sudoers file in any old text editor (You are even told this in the man file for sudo!) Instead we will use the visudo command, which loads the /etc/sudoers file into vi for us. Yes you will first have to su to root. It’s okay!! This will be the last time you will be doing this on your system. GO FOR IT! I won’t tell anyone!

Now that you have switched to the root account, there are 2 ways we can go about allowing your user account use the sudo command. The simplest method is simply adding your username to the file. Which we will discuss first, which will work with a stand alone desktop with only one or two users. The second method, which is best practice for a server with multiple users is to add a group to the system, and configure the sudoers file to allow members of that group access to the command. This way instead of having to modify the file each time you want to grant a user sudo access. You just add them to the member of the group.

So let’s get in to method #1.

First su to root.

$ su –
Password:

(enter your root password)

Now type visudo

# visudo

You should now see the sudoers file loaded into the standard vi editor.

Look for the following line.

 ## Allow root to run any commands anywhere
root     ALL=(ALL)                  ALL

Use your cursor keys to position the cursor underneath this line, then enter insert mode by pressing I, the add the following.

 <username>  ALL=(ALL)                  ALL

Enter command mode by pressing ESC, then write the file and quit with the :wq command. You should now log off the system, and back in so the new SUDOERS file is reprocessed.

Now test that the file was edited correctly, by trying to edit the /etc/host file with the sudo command.

 $ sudo vi /etc/hosts

You should be prompted for your password.

password:

Enter YOUR user password. If everything is successful, you should now be in vi, with /etc/hosts loaded. You should not see the file being read only this time.

Quit vi by entering q

Now lets looks at the second method I mentioned above (This time dealing with CentOS Linux), For OS X users, simply create the group sudo using System Preferences > USERS and GROUPS, and add it to your user account, and skip to step 2.

For those using Linux switch your user account to root (Or use sudo if you completed the steps above.)

 $ su –
 password: <Enter root password>

We will now create a new group called sudo (I will not be using any options, if you wish to know more about this command, check out it’s MAN entry)

 # groupadd sudo

We now must add the new group sudo your user account as a supplemental group.

 # usermod -a -G sudo <username>

Option -a appends a supplementary group to the specified user account, this MUST be followed by the -G option.

The name of the group we are adding is the newly created group called ‘sudo’, followed by the name of the user account. Note: You can add multiple supplementary groups here with the group names separated by a comma ‘,’.

We can verify that the group was successfully added to the user by the following command.

  #groups <username>

You should see list of the groups the user is a member of, including the newly created group sudo.

The last thing we need to do to wrap this up, is go back into the /etc/sudoers file and add the sudo group.

 #visudo

Look for the following text.

##Allows people in the group wheel to run all commands.
# %wheel       ALL=(ALL) ALL

Move your cursor below the above line, and enter INSERT mode by pressing I

Add the following line to the file.

%sudo          ALL=(ALL)ALL

Hit ESC to enter command mode, save and exit VI, by entering :wq

You can now control who has full SUDO access, simply by adding the user to the group sudo.

There is one more item I would like to cover regarding the SUDO command. By default, you can use sudo for 10 minutes before you are prompted to enter your password again. I consider this poor security. If you leave your computer without closing your terminal session, anyone who comes along has full access to your system. You can modify the system so that it will always prompt for your password each time you use SUDO. Which I recommend that you do.

If you are still logged in the terminal session as root, enter the exit command, this should take you bcak to your normal user account, which should be noted by the $ prompt.

$ SUDO visudo
password: (Enter YOUR password here).

You should now be in VI with the /etc/sudoers file loaded. Find the line of the file that says defaults reset.

At the end of the line enter INSERT mode by typing i, add ,timestamp_timeout=0
Exit insert mode by hitting ESC, and enter :wq

Now each time you use the SUDO command, you will be prompted to enter your password.

Congratulations, you are now using best practices when executing commands using elevated privileges.

I hope you enjoyed this blog post!