February 14, 2010

Linux Security Tip-of-the-day: sudo

In all operating systems it is never a good idea to log in and do standard operations as the root/administrative user. The longer you are logged is as the administrator and the more task you run the greater the chance of you doing something that you may regret.

In Linux and Unix based operating systems the sudo or Switch User and Do utility is included to allow you to setup specific command rights for users to run specific actions as another user, including the administrator account. This command is extremely useful in distributed administration because you can assign specific users specific rights, such as changing passwords, modifying the firewall(s), modifying network settings and more without giving them full root/administrator access to the system.

To configure the sudo rights you must enter the command "visudo" in the command line while logged in as the administrator. I was planning to give you the quick syntax for editing the file, but there are several ways that you can edit the file so tit would be best if you read the sudoers man pages.

I know that in some distribution the first user automatically has sudo rights to run all commands as the root user, but that is bad practice, this method allows anyone that knows the user's password to run whatever commands they want. This method is better than what is currently being user in windows based operating systems, but it still opens the system to unnecessary risk.

The best policy is to assign only the commands that the specific user needs access to, for commands that have a high probability of harming the system or compromising security it is best to force the users to prove they are the administrator by logging is as the administrator byissuing the "su" or Switch User command.

 

Click Here!