The sudo command allows a user to run a command as root, or some other user. It has several benefits over su:

• It can restrict who has access, and what commands they may run.
• It can be configured to not require a password in some situations.
• It can log commands that the user runs.

This page documents the configuration of sudo for Debian 6.0. Previous versions of Debian did things quite a bit differently – see versions of this page prior to 2012-01-28 for those details.

We're going to configure sudo to require the root password in most cases. If you configured Debian during installation to not have a root password, be sure to add one:

passwd root  # NOTE: Interactive!

Debian automatically creates a group named sudo. The members of that group have sudo access (to run anything as root) granted by the default configuration.

When installing Debian 6.0, the first user is added to the sudo group. Any other admin users will have to be added to that group. You can use one of these commands:

USERNAME='admin_user'
usermod --append --groups sudo $USERNAME

USERNAME='admin_user'
adduser $USERNAME sudo

It appears that Debian 6.0 will install sudo by default, if you don't specify a root password during installation, or if you select the Desktop task.

Our installations of Debian typically do not include sudo by default, so we have to install it manually:

apt-get install sudo

Note that if you use LDAP for user accounts, you'll need to install sudo-ldap instead of sudo.

By default, sudo requires a user to type in their own password in order to run a command. For added security, we prefer to use a different password to run commands as root. This way, if a user password is compromised, the attacker cannot run commands as root without additional work.

cat > /etc/sudoers.d/require_root_password << EOF
# Require root password (instead of the user's own password).
Defaults        rootpw
EOF
chmod 440 /etc/sudoers.d/require_root_password
visudo -c -f /etc/sudoers.d/require_root_password

The sudo command ensures that certain environment variables are not carried over, to prevent security problems. We need to tweak the set of environment variables a bit.

cat > /etc/sudoers.d/environment << EOF
# Set $HOME to the target user's home directory. Allows mysql clients to find root's $HOME/.my.cnf config file automatically.
Defaults        always_set_home
 
# Reset all environment variables, except the ones we explicitly list.
Defaults        env_reset
Defaults        env_keep = "PATH MAIL PS1 PS2 HOSTNAME HISTSIZE \
                           LS_COLORS COLORS INPUTRC TZ \
                           LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                           LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                           LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                           SSH_AUTH_SOCK"
EOF
chmod 440 /etc/sudoers.d/environment
visudo -c -f /etc/sudoers.d/environment

Since installing and updating software from standard repositories is a common admin task with low security risk, we'll allow it without requiring a password.

touch /etc/sudoers.d/package_management
cat > /etc/sudoers.d/package_management << EOF
# Admin users may install and update software packages without having to supply a password.
Cmnd_Alias      PACKAGE_INFO    = /usr/bin/apt-get install *, /usr/bin/apt-get check, \
                                  /usr/bin/apt-cache search *, /usr/bin/apt-cache show *, /usr/bin/apt-cache showpkg *, \
                                  /usr/bin/aptitude search *, /usr/bin/aptitude show *, /usr/bin/aptitude changelog *
Cmnd_Alias      PACKAGE_INSTALL = /usr/bin/apt-get install *, \
                                  /usr/bin/aptitude install *, /usr/bin/aptitude reinstall *
Cmnd_Alias      PACKAGE_UPDATE  = /usr/bin/apt-get update, /usr/bin/apt-get upgrade, \
                                  /usr/bin/aptitude update, /usr/bin/aptitude safe-upgrade
Cmnd_Alias      PACKAGE_CLEAN =   /usr/bin/apt-get autoremove, /usr/bin/apt-get clean, /usr/bin/apt-get autoclean, \
                                  /usr/bin/aptitude clean, /usr/bin/aptitude autoclean
%sudo           ALL = NOPASSWD: PACKAGE_INFO, PACKAGE_INSTALL, PACKAGE_UPDATE, PACKAGE_CLEAN
EOF
chmod 440 /etc/sudoers.d/package_management
visudo -c -f /etc/sudoers.d/package_management

• Allowing sudo without a password should be limited as much as possible. Be sure that the commands cannot be used to make arbitrary changes to files or run arbitrary commands.
• Previous versions of Debian allowed users in the sudo group to use sudo to perform any command without a password. This is not a good security practice. On those systems, we used a different group (wheel) and set that group to be allowed to run any command with a password.
• Note that if you allow a user to run a command as root, and the command allows them to shell out, they can then effectively run any command as root. So don't give access to things like vi, unless you're willing to give access to ALL commands.
• You should always use visudo when editing the configuration files. This will prevent you from saving an invalid configuration file. For programmatically-written files, the -c option can be used.
• If you use sudo to create a new file within /etc/sudoers.d, you'll get a warning message when changing the permissions on the file, when you try using sudo to change the permissions.

• Add some more limited commands for some users.
• Investigate the differences between the default set of environment variables and the ones we're using.
• Take some action if the visudo check of the configuration files fails.