Skip to Content
Linux Security Cookbook
book

Linux Security Cookbook

by Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes
June 2003
Intermediate to advanced
336 pages
8h 54m
English
O'Reilly Media, Inc.
Content preview from Linux Security Cookbook

5.4. Bypassing Password Authentication in sudo

Careful sudo Practices

  • Always edit /etc/sudoers with the visudo program, not by invoking a text editor directly. visudo uses a lock to ensure that only one person edits /etc/sudoers at a time, and verifies that there are no syntax errors before the file is saved.

  • Never permit the following programs to be invoked with root privileges by sudo: su, sudo, visudo, any shell, and any program having a shell escape.

  • Be meticulous about specifying argument lists for each command in /etc/sudoers . If you aren’t careful, even common commands like cat and chmod can be springboards to gain root privileges:

    $ sudo cat /etc/shadow > my.evil.file
$ sudo cat ~root/.ssh/id_dsa > my.copy.of.roots.ssh.key
$ sudo chmod 777 /etc/passwd; emacs /etc/passwd
$ sudo chmod 4755 /usr/bin/less               (root-owned with a shell escape)

  • Obviously, never let users invoke a program or script via sudo if the users have write permissions to the script. For example:

                         /etc/sudoers:
smith ALL = (root) /home/smith/myprogram

    would be a very bad idea, since smith can modify myprogram arbitrarily.

Problem

You want one user to run a command as another user without supplying a password.

Solution

Use sudo’s NOPASSWD tag, which indicates to sudo that no password is needed for authentication:

               /etc/sudoers:
smith  ALL = (jones) NOPASSWD: /usr/local/bin/mycommand args
smith  ALL = (root) NOPASSWD: /usr/local/bin/my_batch_script ""

Discussion

By not requiring a password, you are trading security for ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

AirBnbBlueOriginElectronic ArtsHomeDepotNasdaqRakutenTata Consultancy Services
QuotationMarkO’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.
Julian F.
Head of Cybersecurity
QuotationMarkI wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.
Addison B.
Field Engineer
QuotationMarkI’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.
Amir M.
Data Platform Tech Lead
QuotationMarkI'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
Mark W.
Embedded Software Engineer

You might also like

Practical Linux Security Cookbook - Second Edition

Practical Linux Security Cookbook - Second Edition

Tajinder Kalsi
Linux Administration Cookbook
Practical Linux System Administration
Mastering Linux Command Line

Mastering Linux Command Line

Coding Gears | Train Your Brain

Publisher Resources

ISBN: 0596003919Errata Page