Skip to main content

Managing sudo Access

Hands-On Lab

 

Photo of Bob Salmans

Bob Salmans

Training Architect

Length

00:30:00

Difficulty

Intermediate

In this lab, we will look at how to manage access to sudo. We will strengthen sudo security by removing unnecessary default settings and configure sudo to always require a password. Then, we'll permit specific user accounts to use sudo.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Managing sudo Access

Introduction

We've been asked to make some changes to the sudoers file, as there have been some personnel changes in the IT department at our organization. The changes that need to be made are:

  1. Disable the use of the wheel group in the sudoers file using comments.

  2. Enable full sudo access for the following users:

    • cloud_user
    • pbeesly
    • jhalpert
  3. Ensure a password is required each time the sudo command is run.

Setting Up the Environment

  1. Open your terminal application, and log in to the environment using the credentials provided on the lab instructions page. (Remember to replace <PUBLIC_IP_ADDRESS> with the actual public IP address.)

    ssh cloud_user@<PUBLIC_IP_ADDRESS>
  2. Type yes at the prompt.

  3. Enter your password at the prompt.

  4. Become root (by executing su -).

Disable the Use of the wheel Group in the sudoers File

Comment out the line in the sudoers file that allows wheel group access:

[root@host]# visudo

Press / to search for a term, then type wheel and press Enter. This will take us where we need to go. Press i to enter Insert mode, and comment out the line so it reads:

 #%wheel  ALL=(ALL)       ALL

Provide Full sudo Access to cloud_user, pbeesly, and jhalpert

Farther down the file, in the section for users, add the following lines:

cloud_user  ALL=(ALL)       ALL
pbeesly     ALL=(ALL)       ALL
jhalpert    ALL=(ALL)       ALL

Configure sudo to Require a Password Each Time the sudo Command Is Used

To require a password each time sudo is used, add this line underneath the existing Defaults line:

Defaults    timestamp_timeout=0

We can find it the same way we found wheel, by exiting insert mode (hitting Esc), then typing / and searching for Defaults.

Once we're done, hit Esc again, then :wq to save and exit the editor.

Conclusion

Congratulations, you've successfully completed this hands-on lab!