Mastering sudo: Essential Configurations, Tips, and Security Practices

1. Understanding sudo workflow and sudoers configuration

The sudo command ("superuser do") lets a verified user run commands as another user, typically root. When invoked, sudo reads and parses /etc/sudoers to find the caller’s permissions, prompts for a password (unless NOPASSWD is set), creates a child process, calls setuid() to switch to the target user, and finally executes the requested shell or command. sudo reads /etc/sudoers to locate the user and its privileges.

It may ask for a password, which can be bypassed with the NOPASSWD flag.

It spawns a subprocess and uses setuid() to change identity.

The subprocess runs the specified shell or command.

2. sudoers syntax

The rule format is USER/GROUP HOST=(USER[:GROUP]) [NOPASSWD:] COMMANDS where: USER/GROUP: the authorized user or group (group names start with %). HOST: hosts from which sudo may be run; ALL means any host. (USER[:GROUP]): the target user or group; ALL means any user. NOPASSWD: omit password prompt for this rule. COMMANDS: allowed commands; ALL permits any command.

# Allow sudo group to run all commands
%sudo ALL=(ALL:ALL) ALL

# User "escape" can run everything without a password
escape ALL=(ALL) NOPASSWD: ALL

# Restrict "escape" to echo and ls only
escape ALL=(ALL) NOPASSWD: /bin/echo /bin/ls

# Allow shutdown on localhost
escape localhost=/sbin/shutdown -h now

# Users in %users can run mount/unmount as root
%users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

3. Configuring Defaults options

# Number of password attempts (default 3)
Defaults passwd_tries=5

# Password timeout in minutes (default 5)
Defaults passwd_timeout=2

# Ask for root's password instead of the invoking user's
Defaults targetpw

# Custom log file
Defaults logfile="/var/log/sudo.log"
Defaults log_host, log_year, logfile="/var/log/sudo.log"

# Preserve selected environment variables
Defaults env_keep += "LANG LC_ADDRESS LC_CTYPE COLORS DISPLAY HOSTNAME EDITOR"
Defaults env_keep += "ftp_proxy http_proxy https_proxy no_proxy"

# Secure PATH for sudo sessions
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

4. Changing visudo's editor from nano to vim

Visudo uses the system's editor alternative. Change it permanently with update-alternatives or set the EDITOR variable for a single invocation.

# Choose vim as the default editor
$ sudo update-alternatives --config editor
# (Select the entry for /usr/bin/vim.basic)

# Or set it for the current session
$ export EDITOR=vim
$ sudo EDITOR=vim visudo

5. Forcing Vim to save read‑only files

When editing a file that requires root privileges, use the following command in Vim's normal mode: :w !sudo tee % To simplify, add a mapping to .vimrc:

cmap w!! w !sudo tee > /dev/null %

6. Using sudoedit for safer file editing

sudoedit

(or sudo -e) creates a temporary copy of the target file, opens it with the editor defined by SUDO_EDITOR, VISUAL, or EDITOR, and copies the changes back after editing, preserving the original file's ownership.

-e, --edit
Edit one or more files instead of running a command.
The editor is chosen in order: SUDO_EDITOR, VISUAL, EDITOR.
If none are set, the editor from sudoers(5) is used.
Temporary copies are made, edited, then copied back.

7. Adjusting sudo session timeout

By default sudo timestamps expire after 15 minutes. Change the timeout with timestamp_timeout (or passwd_timeout) in /etc/sudoers. Setting it to 0 forces a password prompt for every command; -1 disables the timeout entirely.

# Extend timeout to 20 minutes
Defaults env_reset, timestamp_timeout=20

8. Temporary authorizations via cron and /etc/sudoers.d

Instead of editing /etc/sudoers directly, place per‑user or per‑group files in /etc/sudoers.d. Use a daily cron job to remove these files when the temporary grant expires.

# List cron directories
$ ls -dl /etc/cron.*

# Example of a temporary sudoers.d file
$ cat /etc/sudoers.d/zhangsan
ALL ALL = (root) NOPASSWD: zhangsan

# Cron job to clean the directory daily
$ rm -rf /etc/sudoers.d/*

9. Preserving environment variables in sudo sessions

sudo resets the environment by default ( env_reset). To keep specific variables, add them to env_keep. The -E flag preserves the caller’s environment for a single command. Alternatively, disable env_reset in /etc/sudoers.

# Show current sudoers (filtered)
$ sudo sed '/^#/d;/^$/d' /etc/sudoers
Defaults    env_reset
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS"
Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Preserve environment with -E
$ sudo -E command

# Disable env_reset (use with caution)
Defaults !env_reset