Embracing sudo

Sudo is a wonderful utility with a lot of flexibility. However, that flexibility comes at a price, mainly in the form of rough edges. Here are a few things that I've done to remove those rough edges and embrace sudo to benefit from it's flexibility.

To gain an understanding of what sudo is and is not, I highly recommend you read Michael W Lucas's Sudo Mastery. (See my Sudo Mastery post for more details.) You can always pick up a lot of very detailed information on sudo from the official Sudo Main Page. Last but not least there is the sudo man (8) page. I'd also recommend that you spend some time playing with sudo and the sudoers file on a non-critical system. Nothing teaches quite like experience.

One of the biggest game changers for me, as far as security is concerned, is using a the PAM module for authentication with the ssh-agent. With the PAM module installed and configured, sudo can authenticate using your ssh key(s). This means that you can take full advantage of sudo without being prompted for a password while still having the same level of security as if you were prompted for a password. (Because in effect you were. Or said another way, your ssh-agent was on your behalf.)

To install the PAM module for authentication with ssh-agent on RHEL / CentOS, run the following command:

yum install pam_ssh_agent_auth

To configure the PAM module for authentication with ssh-agent, edit your /etc/pam.d/sudo and /etc/pam.d/sudo-i files so that they look like the following.

auth       sufficient   pam_ssh_agent_auth.so file=~/.ssh/authorized_keys
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so

auth       sufficient   pam_ssh_agent_auth.so file=~/.ssh/authorized_keys
auth       include      sudo
account    include      sudo
password   include      sudo
session    optional     pam_keyinit.so force revoke
session    required     pam_limits.so

Now that you are able to use the PAM module for authentication with ssh-agent, let's remove some of the other rough(er) edges from using sudo. I find it very annoying to have to type "sudo" in front of commands that I routinely use that require root privileges.

sudo yum check-update

So, being the unix user that I am and believing in customizing my environment the way that I do, I created an alias so that I don't have to type "sudo".

alias yum='/usr/bin/sudo /usr/bin/yum'

With this alias and (many) others like it, I can now happily and easily issue commands that I routinely use that require root privileges from my normal user account with out any problems.

One final thing that I've wondered about doing for other users, specifically DBAs that need to run commands as the Oracle user. This means that the Oracle DBA(s) could log in with their individual IDs and be able to run Oracle commands as if they were the oracleUser.

alias crsctl="/usr/bin/sudo -u oracleUser /u01/app/"

Customizing the environment removes some of the rough(er) edges from using sudo, if not making it faster and easier (lack of password prompts, having to change users, etc) and retains the benefit of running commands through sudo. Specifically, sudo's granular control over commands and it's logging (to a file that can't be edited like shell history files can).

See also:
Sudo, a love hate relationship
Command Aliases