Security Tip # 3 – sudo

Posted bySuuzePosted inSecurityTags:, , , , , , , , , ,

This post is part of a series on my top 10 tips for securing Linux home installations. You can find the other posts here.

Use sudo

Sudo allows a user account on a Linux machine to run commands and perform tasks as another user. Typically, as an administrator or root user. Most modern Linux distros will prompt for sudo access to root to be configured during installation. Direct login as user ‘root’ is usually disabled by default, though it can be enabled by setting a password for the root user.

My recommendation is to leave direct root logins disabled, and continue using sudo for privileged access as needed. Here’s why:

  • The root user on a Linux machine has god-like powers. A human error can easily trash a Linux system when the user is logged on as root, or a process is running as the root user.
  • Performing your day-to-day tasks as a non-privileged user provides a measure of sandboxing. Your Linux apps won’t be running as root with unnecessary power over your machine.
  • Finally all sudo access gets logged, providing an audit trail which helps track unusual activity on your system.

So how do you run sudo? Simply run the command you want to run as another user, preceded by the word ‘sudo’. 

sudo <command>

You will be prompted to enter your own password. This is to prove that you are you, before proceeding. Sudo will then check if your user account has the privileges necessary before running the command.

For example, to view the sudoers file which is only readable by user root:

sudo cat /etc/sudoers

Another example, to update all packages on a Fedora system:

sudo dnf update

You can use sudo to take on the identity of another user. This is most often used to take on root’s identity:

sudo su - root

This should take you to the ‘#’ prompt, indicating you have now become root. I recommend limiting the commands run in this mode for the reasons listed above.

Configuring and customizing sudo

Sudo can be configured by editing the sudoers file using visudo or by creating sudo ‘modules’ in /etc/sudoers.d/. Stay tuned for a future deep-dive into sudo.

Also, sudo’s behaviour can be customized – for instance, the password prompt timeout (how often sudo prompts a user for a password) can be changed. Sudo can also be configured to not prompt for a password (not recommended for general usage, it defeats the purpose of using sudo).

Find out more

That’s it! Stay tuned for Tip # 4 tomorrow. Meanwhile, let me know what you thought of this article by leaving a comment below.

A glossary of terms is available here.

Once again, ensure you’re familiar with the disclaimer here!

Sources

The post references documentation and articles on github.com, and fedoraproject.org. Sources are linked to within the post’s content above.

Featured image by Pixabay on Pexels.com.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: