This document provides instructions on how to install and configure SUDO (Super User Do) on RHEL 7. It describes installing the sudo package, verifying the installation, configuring the sudoers file using the visudo editor, setting default permissions for the sudoers file, listing allowed commands for users, caching credentials, defining command privileges for users including requiring passwords or allowing passwordless access, and configuring session timeouts on a system-wide or per-user basis.
1. How To Install and Configure SUDO on RHEL 7
i | P a g e
Table of Contents
Overview.......................................................................................................................................................1
Applies To......................................................................................................................................................1
Pre-Requisites ...............................................................................................................................................1
Install Package...............................................................................................................................................1
Verify Package Installation........................................................................................................................1
Locate Binary.............................................................................................................................................2
Configure SUDO ............................................................................................................................................2
visudo editor.............................................................................................................................................2
Sudoers File – Default Permissions...............................................................................................................2
Listing Commands.....................................................................................................................................3
List Allowed Commands – Current User ...............................................................................................3
List Allowed Commands – Other User ..................................................................................................3
Cached Credentials ...................................................................................................................................3
Revalidate Cached Credentials .............................................................................................................4
Invalidate Cached Credentials...............................................................................................................4
Customize User’s Timeouts...................................................................................................................4
Define Command Execution Privileges.........................................................................................................5
Define Commands – With Password.........................................................................................................5
Run Commands – Without Password .......................................................................................................6
Run Commands – Deny Specific Command Execution .............................................................................6
SUDO – Default Settings ...........................................................................................................................7
Configure – Session Time Out.......................................................................................................................7
System wise Attribute Configuration........................................................................................................7
User wise Attribute Configuration............................................................................................................8
2. How To Install and Configure SUDO on RHEL 7
1 | P a g e
Overview
The purpose of this document is guide you in the configuration of SUDO (Super User Doers), wherein
normal user is elevated to run the elevated commands on the system.
Applies To
Tested on RHEL 7, CentOS 7.
Pre-Requisites
sudo package is installed
Install Package
SUDO package is installed by default in when you install operating system, in order to install the package
manually, if the package is not installed run the command;
yum install -y sudo
Verify Package Installation
After installation, to verify the sudo package is installed, run the command;
yum list installed | grep ^sudo
or
rpm -qa | grep ^sudo
3. How To Install and Configure SUDO on RHEL 7
2 | P a g e
Locate Binary
Next to get the binary information for sudo exeutable, run the command;
whereis sudo
Configure SUDO
In order to configure sudo, sudoers configuration file “/etc/sudoers” has to be modified.
visudo editor
Any standard editors i.e., vi, vim or nano.
Though there are few advantages of configuring sudo with “visudo” editor that are listed below:
visudo will lock the sudoers file if a user is accessing it
If the user is already accessing it, user would notified user stating, “/etc/sudoers busy, try again
later”
It also checks for syntax errors upon file exit
Sudoers File – Default Permissions
The owner and group for the sudoers file must both be 0. The file permissions must be set to 0440. This
permission is set by default.
If you had changed the permission(s) ownership and accidentally, it needs to be rolled back, else sudo
will fail.
chown -c root:root /etc/sudoers
4. How To Install and Configure SUDO on RHEL 7
3 | P a g e
chmod -c 0440 /etc/sudoers
Listing Commands
Commands that can be executed for user and logged in user can be listed. It also lists the other
configuration parameters configured for the user, such as timeout, command restrictions, etc.
List Allowed Commands – Current User
sudo -l
List Allowed Commands – Other User
sudo -lU mvcp01
Cached Credentials
Upon successful sudo login by the user the credentials are cached for a default time period of 5 minutes
and the user can work without a password before the expiry period that is set by the attribute
“timestamp_timeout”.
5. How To Install and Configure SUDO on RHEL 7
4 | P a g e
This can also be configured to 0 minutes or more than default timeout period of 5 minutes, 0 means the
password is not cached and always user will be prompted for password. If the attribute is set less than 0,
then users sudo timeout period is set as “never expire”.
timestamp_timeout=2
Similarly, you can invalidate or revalidate cached credentials.
Revalidate Cached Credentials
After successful user’s sudo login, password is stored in cache for 5 minutes (default password lapse
period). To extend the password lapse period run the command. If sudo revalidation is done, it will extend
the lapse period additional 5 minutes.
sudo -v
Invalidate Cached Credentials
Clear the cached password and ask for password entry for sudo authentication, run the command;
Typically, It’s run if the user password has changed and timeout period is not yet expired.
sudo -k
Customize User’s Timeouts
If you would like to customize sudo timestamp_timeout for a specific user, it can be configured by
customizing the “timestamp_timeout” attribute with the user prefix and the timeout period, shown as
below.
This change can be done in either “/etc/sudoers” or “/etc/sudoers.d/
Defaults: sys.admin timestamp_timeout=30
sudo -lU sys.admin
6. How To Install and Configure SUDO on RHEL 7
5 | P a g e
Define Command Execution Privileges
SUDO can be configured with or without password authentication for users or specific commands that
user intends to execute. The user also can be denied command execution for specific command. The
below table will give insight into command execution privileges defined for a user.
Example: root ALL=(ALL) ALL
Definition Purpose
sys.admin ALL=(ALL:ALL) ALL This definition applies to user root
sys.admin ALL=(ALL:ALL) ALL This rule applies to all user sys.admin logged in from all hosts
sys.admin ALL=(ALL:ALL) ALL User sys.admin can run commands as all users
sys.admin ALL=(ALL:ALL) ALL User sys.admin can run commands as all groups
sys.admin ALL=(ALL:ALL) ALL These rules apply to all commands
Define Commands – With Password
Few commands that are defined for the user to run can be allowed to run only after keying the valid
password by the user, as shown below; User sys.operator can execute the commands “shutdown” and
“updatedb” after successful authentication.
sys.operator ALL=(ALL) PASSWD: /sbin/shutdown, /usr/bin/updatedb
7. How To Install and Configure SUDO on RHEL 7
6 | P a g e
Run Commands – Without Password
Execute command(s) without prompting for sudo password, configure the user as below; User sys.admin
can execute the commands “shutdown” and “updated” without password. Password-less command
execution.
mvcp001 ALL=(ALL) NOPASSWD: ALL
sys.admin ALL=(ALL) NOPASSWD: /sbin/shutdown, /usr/sbin/updatedb
Run Commands – Deny Specific Command Execution
If you want to deny a specific user to deny execution of a command prefix it with “!” as shown below; The
user can run all other commands expect the command “/usr/bin/passwd”
mvcp002 ALL=(root) ALL, !/usr/bin/passwd
8. How To Install and Configure SUDO on RHEL 7
7 | P a g e
SUDO – Default Settings
To list the current default settings run the command;
cat /etc/sudoers | grep ^Defaults
Configure – Session Time Out
The purpose of this attribute is to set timeout period for the user to enter password for the elevated
commands executed each time.
Default timeout is 5 minutes, once the user enters the password, the user’s password is remembered for
5 minutes and used need to reenter the password again.
System wise Attribute Configuration
To implement system configuration, after “Defaults” attribute, modify the changes that are required.
Defaults timestamp_timeout=5 #Applies To System wide
9. How To Install and Configure SUDO on RHEL 7
8 | P a g e
User wise Attribute Configuration
To implement user configuration, after “Defaults” attribute, include username also and modify the
changes that are required. This will override the system wide attribute setting.
Defaults:mvcp002 timestamp_timeout=0 # Applies to specific user only