How to secure Sudo

e all know working as admin-user (or root) is a bad thing. But sometimes we simply want to do stuff only an admin is allowed to do. Changing the account everytime that happens is not an option. Fortunately every UNIX-System (including Mac OS) offers some options. But there’s a great quarrel which option is the most secure: there are „su“ and „sudo“.

Pros and Cons

„sudo“ allows you to run a single command as a different users, usually root. If , for example, you take a glance at the Ubuntu community forums, you’ll see the place crowded with commands like „sudo aptitude install kubuntu-desktop“. „sudo“ then prompts you for a password. Unforunately this password is the password or your current user! So if your account gets compromised, so does every other account on that computer. The only other security measure is the file „/etc/sudoers“ (on Mac „/private/etc/sudoers“) which contains a list of every user allowed to use „sudo“ and a list of options.

While „sudo“ prompts you for your own password „su“ will asl for the password of the user you want to become (the default is again root). This of course is much more secure. The drawback is, that by using the „su“ command, you will become that user for as long as you wish which is again rather unsafe.

The trick

But it wouldn’t be Unix of you couldn’t change that! So here is whate we are going to do:

Look for a line beginning with „Defaults“, like „Defaults    env_reset“
Below that line add „Defaults    targetpw“
Save and quit

From now on „sudo“ will ask you for the password of the target user by that combining the strengths of both „sudo“ and „su“!


Sudo Manpage
Sudoers Manpage

Reblog this post [with Zemanta]
  1. No trackbacks yet.

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

Du kommentierst mit Deinem Abmelden / Ändern )


Du kommentierst mit Deinem Twitter-Konto. Abmelden / Ändern )


Du kommentierst mit Deinem Facebook-Konto. Abmelden / Ändern )

Google+ Foto

Du kommentierst mit Deinem Google+-Konto. Abmelden / Ändern )

Verbinde mit %s

%d Bloggern gefällt das: