Useful Sudoers Configurations for sudo

The configuration file will look something like this, after adding all the configurations.

Let us understand all the configurations listed above, step by step.

1. Setting a secure path

This path is used while running every command with sudo. It is used because of the following two reasons:

1. To differentiate between the root and user paths. ( The users who are defined as the exempt_group remain unaffected by this setting)
2.  When the System admin does not trust that the sudo users will have a reliable PATH variable.

Add the below line in the sudoers file to set this path:

Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

2. Enabling sudo on the TTY user login session

This line is added in the file so that sudo can be called from a real tty and not from cron or cgi-bin scripts:

Defaults requiretty   

3. Running sudo command using pty

Sometimes a malicious program can be run by attackers with the help of sudo, which is capable of forking the background process that remains on the terminal even after the main program is executed. This can be avoided by adding the below command which will run commands only with a pseudo-pty.

Defaults use_pty

4. Creating a sudo log file

To create a custom log file you can use the logfile parameter. Note that sudo uses Syslog(3) by default.

Defaults logfile="/var/log/sudo.log"

The hostname and four-digit year can also be logged in the custom log file, use the below command:

Defaults log_host, log_year, logfile="/var/log/sudo.log"

To see the custom sudo log file type the below command:

cat /var/log/sudo.log

5. sudo input/output command

With the help of log_input and log_output commands, the user can log all the input and output sent to the screen. By default, the input and output log directory is /var/log/sudo-io. The session sequence is also stored in this directory.  A custom directory can also be specified by using the iolog_dir parameter.

Defaults log_input, log_output

To view the logs use the below-given commands:

 # cd /var/log/sudo-io/
 # ls
 # cd  00/00/01 
 # ls
 # cat log

6. Lecture sudo users

This configuration is used to lecture the users whenever they type the wrong password. It has three values:

1. always: This always lectures the user.
2. once: This lectures the user only once when he first uses the sudo command. This is enabled when no value is specified.
3. never: To never lecture the user.

Defaults lecture="always"

7. Custom messages when the wrong password is typed

By default when the wrong password is typed, the message is “sorry, try again”. This can be modified by using the badpass_message parameter. Let us type the wrong password intentionally and see the result.

Defaults badpass_message="Welcome to GFG, enter the right password

8. Setting the password limit

By default the maximum number of tries for passwords is 3, this can be increased or decreased using the below command:

Defaults passwd_tries=6

It can be seen clearly that the number of tries is 6.

9. Enabling the insult function

In this configuration, an insulting message will be displayed on the screen whenever the user enters the wrong password. The badpass_message parameter will automatically be disabled when this is run.

Defaults insults

Let us see this work, I will intentionally type the wrong password and see the insults.

So these were the 9 sudo configurations that you can use and explore. Hope you liked the article.

In operating systems such as Linux and Unix, the liberty to run all the commands lies in the hand of the root user. The root user can perform various tasks such as installation, updating the system, removal of certain packages, creating groups and users, modification of config files, etc.  The system administrator who has the role of the root user can grant other users the power to use all the other commands with the help of the sudo command. Apart from this, the system admin can also share the root password (not recommended) so that other users can access all the tasks with the su command.