How To Increase SUDO Command Security in Linux

In the tasks that we execute daily in our Linux Distro, the use of the sudo command is very frequent to run a command with administrative privileges. Although the sudo command gives us administrative rights, there are some security flaws that we will see later.

What is the SUDO command?

The word sudo is the abbreviation of Switch User be Do, and this allows the user to execute it to have root or super admin permissions.

Note: We will make use of CentOS 7, but it applies equally to Debian, Ubuntu, etc.

Sudo Command Errors

Although it seems that sudo is very safe, we are going to analyze in which part can become a big security problem.

We open our operating system and try to execute a system update using the command:

sudo yum update

Let's see that for security we must enter the administrator password which is perfect if someone tries to perform some action on the system:

We enter our password and we will see that the system is updated according to our request.

So far everything normal and perfect; Suppose we go for a coffee and leave the session open, another person comes who is not authorized to see or execute any change and enters the command:

sudo df

Since you want to see the partitions of the system and what is the surprise and security failure ?, nothing more sudo no longer requests the password to see such information:

The reason for this security failure is that the sudo command stores its super administrator status for a period before switching back to the normal user without administrator privileges, which is why in this period of time tasks can be executed without requiring password, since it is stored in the cache memory.

How To Change the Cache SUDO Password

We will perform the following process to allow each time we use the sudo command to request the password.

First of all let's go to the root of the system using the syntax:

cd /

There we will enter the following parameter to edit the file of the sudo command, we will introduce:

sudo nano /etc/sudoers

A file with text is opened, we will go to the end of this file using the scroll arrows and we must enter the following:

Defaults:ALL timestamp_timeout=0

With this value we indicate to sudo that the time that must store in cache the password is zero (0).

We save the changes using the key combination: Ctrl + O

And exit the editor using the combination: Ctrl + X


Validate the Sudo Configuration

We will verify that we have efficiently solved this problem with sudo. Let's try to update the system again using:

sudo yum update

And we will see that it asks us to enter the administrator password:

If now we go back for a coffee and another “curious” person arrives and enters the command:

sudo free

It is to see free RAM or any other command you will see the following:

You must enter the administrator password to be able to see this information. The person doesn't believe and tries to use the command:

sudo top

And the following appears:

The same must enter the password. In this way we have increased the security of the sudo command, avoiding that the administrator password remains in the cache and thus not allowing any user to execute tasks that are not allowed.

It is enough to modify the sudoers file and thus improve the great utility of sudo.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *