The sudo
command allows a user to run a command as root, or some other user.
It has several benefits over su
:
This page documents the configuration of sudo for Debian 6.0. Previous versions of Debian did things quite a bit differently – see versions of this page prior to 2012-01-28 for those details.
We're going to configure sudo to require the root password in most cases. If you configured Debian during installation to not have a root password, be sure to add one:
passwd root # NOTE: Interactive!
Debian automatically creates a group named sudo
.
The members of that group have sudo access (to run anything as root) granted by the default configuration.
When installing Debian 6.0, the first user is added to the sudo
group.
Any other admin users will have to be added to that group.
You can use one of these commands:
USERNAME='admin_user' usermod --append --groups sudo $USERNAME
USERNAME='admin_user' adduser $USERNAME sudo
It appears that Debian 6.0 will install sudo by default, if you don't specify a root password during installation, or if you select the Desktop task.
Our installations of Debian typically do not include sudo by default, so we have to install it manually:
apt-get install sudo
Note that if you use LDAP for user accounts, you'll need to install sudo-ldap
instead of sudo
.
By default, sudo requires a user to type in their own password in order to run a command. For added security, we prefer to use a different password to run commands as root. This way, if a user password is compromised, the attacker cannot run commands as root without additional work.
cat > /etc/sudoers.d/require_root_password << EOF # Require root password (instead of the user's own password). Defaults rootpw EOF chmod 440 /etc/sudoers.d/require_root_password visudo -c -f /etc/sudoers.d/require_root_password
The sudo
command ensures that certain environment variables are not carried over, to prevent security problems.
We need to tweak the set of environment variables a bit.
cat > /etc/sudoers.d/environment << EOF # Set $HOME to the target user's home directory. Allows mysql clients to find root's $HOME/.my.cnf config file automatically. Defaults always_set_home # Reset all environment variables, except the ones we explicitly list. Defaults env_reset Defaults env_keep = "PATH MAIL PS1 PS2 HOSTNAME HISTSIZE \ LS_COLORS COLORS INPUTRC TZ \ LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \ LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \ LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \ SSH_AUTH_SOCK" EOF chmod 440 /etc/sudoers.d/environment visudo -c -f /etc/sudoers.d/environment
Since installing and updating software from standard repositories is a common admin task with low security risk, we'll allow it without requiring a password.
touch /etc/sudoers.d/package_management cat > /etc/sudoers.d/package_management << EOF # Admin users may install and update software packages without having to supply a password. Cmnd_Alias PACKAGE_INFO = /usr/bin/apt-get install *, /usr/bin/apt-get check, \ /usr/bin/apt-cache search *, /usr/bin/apt-cache show *, /usr/bin/apt-cache showpkg *, \ /usr/bin/aptitude search *, /usr/bin/aptitude show *, /usr/bin/aptitude changelog * Cmnd_Alias PACKAGE_INSTALL = /usr/bin/apt-get install *, \ /usr/bin/aptitude install *, /usr/bin/aptitude reinstall * Cmnd_Alias PACKAGE_UPDATE = /usr/bin/apt-get update, /usr/bin/apt-get upgrade, \ /usr/bin/aptitude update, /usr/bin/aptitude safe-upgrade Cmnd_Alias PACKAGE_CLEAN = /usr/bin/apt-get autoremove, /usr/bin/apt-get clean, /usr/bin/apt-get autoclean, \ /usr/bin/aptitude clean, /usr/bin/aptitude autoclean %sudo ALL = NOPASSWD: PACKAGE_INFO, PACKAGE_INSTALL, PACKAGE_UPDATE, PACKAGE_CLEAN EOF chmod 440 /etc/sudoers.d/package_management visudo -c -f /etc/sudoers.d/package_management
sudo
without a password should be limited as much as possible. Be sure that the commands cannot be used to make arbitrary changes to files or run arbitrary commands.sudo
group to use sudo to perform any command without a password. This is not a good security practice. On those systems, we used a different group (wheel
) and set that group to be allowed to run any command with a password.vi
, unless you're willing to give access to ALL commands.visudo
when editing the configuration files. This will prevent you from saving an invalid configuration file. For programmatically-written files, the -c
option can be used./etc/sudoers.d
, you'll get a warning message when changing the permissions on the file, when you try using sudo to change the permissions.