API tools faq
paste
Advertisement
Tritonio

8 Ways to Tweak and Configure Sudo on Ubuntu

Tritonio
Mar 15th, 2021
116
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.63 KB | None | 0 0
raw download clone embed print report
  1. Specify Users With Sudo Permissions
  2.  
  3. The user account you create while installing Ubuntu is marked as an Administrator account, which means it can use sudo. Any additional user accounts you create after installation can be either Administrator or Standard user accounts – Standard user accounts don’t have sudo permissions.
  4.  
  5. You can control user account types graphically from Ubuntu’s User Accounts tool. To open it, click your user name on the panel and select User Accounts or search for User Accounts in the dash.
  6.  
  7. image
  8. Make Sudo Forget Your Password
  9.  
  10. By default, sudo remembers your password for 15 minutes after you type it. This is why you only have to type your password once when executing multiple commands with sudo in quick succession. If you’re about to let someone else use your computer and you want sudo to ask for the password when it runs next, execute the following command and sudo will forget your password:
  11.  
  12. sudo –k
  13.  
  14. image
  15. Always Ask For a Password
  16.  
  17. If you’d rather be prompted each time you use sudo – for example, if other people regularly have access to your computer — you can disable the password-remembering behavior entirely.
  18.  
  19. This setting, like other sudo settings, is contained in the /etc/sudoers file. Run the visudo command in a terminal to open the file for editing:
  20.  
  21. sudo visudo
  22.  
  23. In spite of its name, this command defaults to the new-user-friendly nano editor instead of the traditional vi editor on Ubuntu.
  24.  
  25. Add the following line below the other Defaults lines in the file:
  26.  
  27. Defaults timestamp_timeout=0
  28.  
  29. image
  30.  
  31. Press Ctrl+O to save the file, and then press Ctrl+X to close Nano. Sudo will now always prompt you for a password.
  32. Change the Password Timeout
  33.  
  34. To set a different password timeout – either a longer one like 30 minutes or a shorter one like 5 minutes – follow the steps above but use a different value for timestamp_timeout. The number corresponds to the number of minutes sudo will remember your password for. To have sudo remember your password for 5 minutes, add the following line:
  35.  
  36. Default timestamp_timeout=5
  37.  
  38. image
  39. Never Ask for a Password
  40.  
  41. You can also have sudo never ask for a password – as long as you’re logged in, every command you prefix with sudo will run with root permissions. To do this, add the following line to your sudoers file, where username is your username:
  42.  
  43. username ALL=(ALL) NOPASSWD: ALL
  44.  
  45. image
  46.  
  47. You can also change the %sudo line – that is, the line that allows all users in the sudo group (also known as Administrator users) to use sudo – to have all Administrator users not require passwords:
  48.  
  49. %sudo ALL=(ALL:ALL) NOPASSWD:ALL
  50.  
  51. Run Specific Commands Without a Password
  52.  
  53. You can also specify specific commands that will never require a password when run with sudo. Instead of using “ALL” after NOPASSWD above, specify the location of the commands. For example, the following line will allow your user account to run the apt-get and shutdown commands without a password.
  54.  
  55. username ALL=(ALL) NOPASSWD: /usr/bin/apt-get,/sbin/shutdown
  56.  
  57. This can be particularly useful when running specific commands with sudo in a script.
  58.  
  59. image
  60. Allow a User to Run Only Specific Commands
  61.  
  62. While you can blacklist specific commands and prevent users from running them with sudo, this isn’t very effective. For example, you could specify that a user account not be able to run the shutdown command with sudo. But that user account could run the cp command with sudo, create a copy of the shutdown command, and shut down the system using the copy.
  63.  
  64. A more effective way is to whitelist specific commands. For example, you could give a Standard user account permission to use the apt-get and shutdown commands, but no more. To do so, add the following line, where standarduser is the user’s username:
  65.  
  66. standarduser ALL=/usr/bin/apt-get,/sbin/shutdown
  67.  
  68. image
  69.  
  70. The following command will tell us what commands the user can run with sudo:
  71.  
  72. sudo -U standarduser –l
  73.  
  74. image
  75. Logging Sudo Access
  76.  
  77. You can log all sudo access by adding the following line. /var/log/sudo is just an example; you can use any log file location you like.
  78.  
  79. Defaults logfile=/var/log/sudo
  80.  
  81. image
  82.  
  83. View the contents of the log file with a command like this one:
  84.  
  85. sudo cat /var/log/sudo
  86.  
  87. image
  88.  
  89. Bear in mind that, if a user has unrestricted sudo access, that user has the ability to delete or modify the contents of this file. A user could also access a root prompt with sudo and run commands that wouldn’t be logged. The logging feature is most useful when coupled with user accounts that have restricted access to a subset of system commands.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!