sudo Internals

# sudo is a setuid-root binary: ls -la /usr/bin/sudo # -rwsr-xr-x 1 root root 232416 /usr/bin/sudo # ^ ^ # | +-- s = SUID set (execute as owner, which is root) # +-- s = SUID # When you run: sudo nginx # 1. Your shell fork()s # 2. Child calls execve("/usr/bin/sudo", ...) # 3. Kernel sees SUID bit, sets euid=0 (root) for the new process # 4. sudo now has root's effective UID # 5. sudo authenticates you, checks sudoers # 6. sudo exec()s nginx with uid=0 # Verify: id # uid=1000(user) gid=1000 sudo id # uid=0(root) gid=0(root)

# sudo's PAM configuration: cat /etc/pam.d/sudo # auth include common-auth # account include common-account # session include common-session-noninteractive # PAM modules stack: # pam_unix.so = verify password against /etc/shadow # pam_google_authenticator.so = 2FA (if configured) # pam_ldap.so = LDAP/AD authentication (if configured) # sudo caches credentials for 15 minutes (default): # After first successful auth, re-running sudo within 15 min = no password sudo -k # invalidate cached credentials immediately # Configure timeout in /etc/sudoers: # Defaults timestamp_timeout=30 (minutes, 0=always ask, -1=never ask) # sudo NOPASSWD — skip password for specific command: # In /etc/sudoers: user ALL=(ALL) NOPASSWD: /usr/bin/apt

# /etc/sudoers (always edit with: visudo) # Format: who where=(as_who) what # All root commands for any user in sudo group: %sudo ALL=(ALL:ALL) ALL # Specific user can run specific commands: alice ALL=(root) /usr/bin/apt, /usr/bin/systemctl # User can run as any user, any host, specific commands: bob ALL=(ALL) /usr/bin/kubectl, /usr/bin/docker # Allow without password: deploy ALL=(root) NOPASSWD: /usr/bin/systemctl restart nginx # Run as a specific user (not root): ci ALL=(deploy) /usr/local/bin/deploy.sh # Aliases for cleaner rules: User_Alias ADMINS = alice, bob, carol Cmnd_Alias SERVICES = /usr/bin/systemctl, /usr/sbin/service ADMINS ALL = SERVICES # /etc/sudoers.d/ — drop-in files (cleaner than editing main file): echo "alice ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/alice-nopass chmod 440 /etc/sudoers.d/alice-nopass

# sudo logs to syslog by default: grep sudo /var/log/auth.log # Jan 15 12:34:56 host sudo: alice : TTY=pts/0 ; # PWD=/home/alice ; USER=root ; # COMMAND=/usr/bin/apt install nginx # sudo logs show: user, where, target user, exact command # This is the forensic trail for compliance # sudo also integrates with auditd: # If auditd is running, sudo events appear in /var/log/audit/audit.log # type=USER_CMD msg=audit(...): pid=1234 uid=1000 # auid=1000 ses=1 msg='cwd="/home/alice" cmd="apt install nginx"' # Check if you can sudo: sudo -l # list allowed commands for current user sudo -l -U alice # list allowed commands for alice (as root)