When running sudo we must specify who can use it by adding users to the sudoers group. We can fine tune this further by modifying the files in /etc/sudoers.d/ to specify what commands can be run. For example, arvb ALL=(ALL) ALL means that the arvb user on ALL hosts (the first ALL) can execute the command as any user (the ALL in brackets), typically root. Finally, a list of specific commands that will be available to run; in this case, it is all commands but can be restricted to specific ones if necessary.
Note
Although sudo is typically used to run programs as root (which is what it does by default), we can also use sudo to act as another user, i.e. sudo --user otheruser. It can also be used to run the default shell as another user, for example, sudo --login --user otheruser.
The main file where sudo configurations are stored is /etc/sudoers, although sudo configuration is often managed with visudo (the advantage of visudo is that it performs syntax validation prior to saving to avoid locking oneself out of the system).
When working with files in /etc/sudoers.d/, we can use visudo -f /path/to/file.
In Linux, there is also a wheel group, with is a special users group that grants its members permission to run admin commands with sudo. Thus, usermod -aG wheel <user> means that <user> will have sudo privileges.
The sudoers files can also include directives such as NOPASSWD or NOEXEC, among others. The former allows users to run approved sudo commands without being prompted for their password; the latter command
Example
To remove the requirement to use a password, add the following:
username ALL=(ALL) NOPASSWD: /path/to/command
This means that <username> will not be required to provide the password for sudo when running /path/to/command.
NOEXEC on the other hand disables the ability to run commands that spawn new processes (such as other shells). It can be used to limit the reach of an approved command.
sudo user groups are used to simplify and centralize administration. The more common groups are sudo and wheel. The primary difference between these two is the distribution they generally come from: sudo as a group is often associated with Debian-based systems, while wheel is associated with RHEL-like systems.
This means that someone who is a member of the relevant sudo group will be able to run commands as root.1
File permissions / attributes
Password control
User passwords are subject to password composition controls, which include complexity and length parameters, among others. The controls are managed through pam_pwquality, which is a PAM module. This can be configured via /etc/security/pwquality.conf.
Example
To require an upperletter, lowerletter, number, and a symbol in a password, as well as a minimum length, edit the /etc/security/pwquality.conf file and add:
minclass = 4 # Requires characters from at least 4 different categoriesminlen = 12 # Password must be 12 chars
Password lifecycles can also be managed, specifically stuff like expiration, reuse, and history (to enforce uniqueness over time). The Expiration of a password can be modified with chage for each user.
History and reuse controls are managed via the pam_pwhistory module, also located in /etc/security/. To prevent reuse of last 5 passwords, however, modify /etc/pam.d/common-password with the line password required pam_pwhistory.so remember=5.
MFA
It is possible to create OTP via PAM by adding echo 'auth required pam_google_authenticator.so nullok' | sudo tee -a /etc/pam.d/sshd. Note that his assumes that Google Authenticator is up and running.
Hardware tokens can also be included by adding the appropriate module. For example, a YubiKey might require a module such as pam_yubico.
Restricted shell use
There are two primary ways to restrict shell usage: /sbin/nologin, which completely prevents the use of interactive shell sessions, or /bin/rbash, which is a limited Bash shell with restricted access.
nologin is commonly use for accounts that do not need to interact, commonly applied to service accounts and the like.
rbash on the other hand does allow interactive shells, but restricts actions such as changing directories, modifying variables, or executing programs from unexpected locations.
Footnotes
One of the things it also allows you to (potentially) do is sudo -i, which allows the user to run commands as another user, typically root. Success grands a root shell, for instance, but importantly authentication is done with your own password. This is different from, say, su -, where the prompt is for the root user’s password. ↩