Sudo and Privileges
Chapter 9: sudo and Privilege Escalation
Section titled “Chapter 9: sudo and Privilege Escalation”Overview
Section titled “Overview”This chapter covers sudo configuration and privilege escalation techniques for secure system administration.
Why This Matters in DevOps/SRE
Section titled “Why This Matters in DevOps/SRE”sudo is critical for security and operational access in production environments:
sudo for DevOps/SRE+------------------------------------------------------------------+| || Security & Compliance: || +----------------------------------------------------------+ || | Root access logging → Who ran what, when | || | Principle of Least Privilege → Granular permissions | || | Password requirements → Multi-factor auth integration | || | Session timeout → Auto-logout after inactivity | || +----------------------------------------------------------+ || || Emergency Access: || +----------------------------------------------------------+ || | Break-glass accounts → Emergency root access | || | sudo -i → Root shell when needed | || | Password recovery → Single-user mode (when needed) | || +----------------------------------------------------------+ || || Automation: || +----------------------------------------------------------+ || | CI/CD sudo → Ansible, Terraform need privileged exec | || | Service restart → systemctl needs sudo | || | Log rotation → Root access for /var/log | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Practical Impact:
- Audit trail for all privileged commands (compliance)
- Delegate specific commands without giving full root
- Respond to incidents with controlled emergency access
- Automate tasks requiring elevation securely
9.1 Understanding sudo
Section titled “9.1 Understanding sudo”sudo vs su
Section titled “sudo vs su” sudo vs su Flow+------------------------------------------------------------------+| || Using sudo: || +---------+ +-------+ +-------------+ || | Regular |----->| sudo |----->| Verify | || | User | |command| | /etc/sudoers || +---------+ +-------+ +-------------+ || | || v || +-------------+ || | Permission | || | Check | || +-------------+ || | || v || +-------------+ || | Execute | || | Command | -------------+ | || +| || Using su: || +---------+ +-------+ +-------------+ || | Regular |----->| su -|----->| Root | || | User | | | | Password | || +---------+ +-------+ +-------------+ || | || v || +-------------+ || | Root | || | Shell | || +-------------+ || |+------------------------------------------------------------------+9.2 sudo Configuration
Section titled “9.2 sudo Configuration”Basic sudo Usage current DNS configuration
Section titled “Basic sudo Usage current DNS configuration”cat /etc/resolv.conf
Example output:
Section titled “Example output:”nameserver 192.168.1.1
Section titled “nameserver 192.168.1.1”nameserver 8
Section titled “nameserver 8”# Run command as rootsudo command
# Run command as specific usersudo -u username command
# Run command.8.8.8# nameserver 1.1.1.1# search example.com4.6.2 resolv.conf Options
Section titled “4.6.2 resolv.conf Options”| Option | Description as root with environment sudo -i command
Edit file with root privileges
Section titled “Edit file with root privileges”sudoedit /etc/file sudo - | Example | |--------|-------------|---------| | nameserver | DNS server IP | nameserver 8.8.8.8 | | search | Domain search liste /etc/file
### /etc/sudoers Configuration
```bash# Basic sudoers file# User | search example.com || options | Runtime options | options timeout:2 attempts:3 |
```bash# /etc/resolv.conf example with privilege specificationusername ALL=(ALL:ALL) ALL
# Group privilege specification%groupname ALL=(ALL:ALL) ALL
# No password requiredusername ALL=(ALL) NOPASSWD: ALL
# Specific command onlyusername ALL=(ALL) optionsnameserver 192.168.1.1nameserver 8.8.8.8nameserver 1.1.1.1search local /usr/bin/systemctl restart nginx9.3 Arch Linux sudo Setup
Section titled “9.3 Arch Linux sudo Setup”Installing and Configuring sudo
Section titled “Installing and Configuring sudo”options timeout:2 attempts:3 rotate4.6.3 systemd-resolved (
Section titled “4.6.3 systemd-resolved (”Install sudo (usually pre-installed)
Section titled “Install sudo (usually pre-installed)”sudo pacman -S sudo
Add user to wheel group
Section titled “Add user to wheel group”sudo usermod -aG wheel username
Arch Linux)
# Check systemd-resolved statussystemctl status systemd-resolved
# View resolved cacheresolvectl status
# Query using resolvectlresolvectl query example.com
# Flush DNS cacheresolvectl flush-cachessystemd# Configure wheel groupsudo visudo# Uncomment: %wheel ALL=(ALL) ALL9.4 Privilege Escalation
Section titled “9.4 Privilege Escalation”Checking sudo Access
Section titled “Checking sudo Access”# Check your sudo privilegessudo -l
# Check specific user's privilegessudo -l -U username-resolve --flush-caches9.6 Advanced sudo Configuration
Section titled “9.6 Advanced sudo Configuration”4.7.1 DNS Cache
Section titled “4.7.1 DNS Cache”### Common sudo Commands
```bash# System administrationsudo systemctl restart servicesudo systemctl status nginxsudo journalctl -u service
# File operationssudo cat /etc/shadowsudo chmod 777 /pathsudo chown user:group /path
# Network operations?} Cache -->|Yes| Return[Return Cached IP] Cache -->|No| Query[Query DNS Server] Query --> Cachesudo iptables -Lsudo netstat -tulpn
# Package management (Arch)sudo pacman -S packageyay -S package # If in sudoers```
---
## 9.5 Security Best Practices
```bash# Best practices for sudo
2[Cache Result] Cache2 --> Return end```
### 4.7.2 Clear DNS Cache
```bash# Systemd-resolvedsudo resolvectl flush-caches
# nscd (nscd)sudo systemctl restart nscd
# B# 1. Use specific commands instead of ALLusername ALL=(ALL) /usr/bin/systemctl restart nginx
# 2. Use NOPASSWD sparingly# Only for specific automated tasksusername ALL=(ALL) NOPASSWDIND/namedsudo rndc flush
# Clear browser DNS cache (Chrome)chrome://net-internals/#dnschrome://net-internals/#sockets```
### 4.7.3 DNS Cache TTL
```bash# Check TTL in dig output: /path/to/script.sh
# 3. Log all sudo usage# In /etc/sudoersDefaults logfile=/var/log/sudo.log
# 4. Require password for dangerous commandsusername ALL=(ALL) /bin/rm, /bindig example.com
# Look for the TTL value# example.com. 86400 IN A 93.184.216.34#/mkfs, /usr/bin/pacman -S*```
---
## Summary
In this chapter, you learned ^^^^ TTL in seconds```
---
## 9.7 Troubleshooting
---
## Common Mistakes & Anti-Patterns
### 1. Giving Too Much sudo Access
```bash# ❌ WRONG: NOPASSWD ALL is dangeroususername ALL=(ALL) NOPASSWD: ALL # Can do anything without password!
# ✅ CORRECT: Specific commands onlyusername ALL=(ALL) /usr/bin/systemctl restart myappusername ALL=(ALL) /usr/bin/nginx, /usr/bin/systemctl nginx```
### 2. Not Using visudo
```bash# ❌ WRONG: Editing /etc/sudoers directlyvi /etc/sudoers # Can break sudo if you make a mistake!
# ✅ CORRECT: Use visudovisudo # Validates syntax before savingvisudo -f /etc/sudoers.d/custom # For custom configs```
### 3. Ignoring sudo Logging
```bash# ❌ WRONG: Not checking sudo logs# Never know who did what!
# ✅ CORRECT: Monitor sudo logsjournalctl -u sudo # Systemd logstail -f /var/log/secure # RHEL/CentOSgrep sudo /var/log/auth.log # Debian/Ubuntu```
### 4. Using su Instead of sudo
```bash# ❌ WRONG: Sharing root passwordsu - # Everyone knows root password!# Can't audit who did what
# ✅ CORRECT: Use sudo everywheresudo su - # Requires sudo, loggedsudo -i # Interactive root shell, logged```
---
## Interview Questions
1. **What is the difference between sudo and su?**2. **How do you give a user permission to run only specific commands with sudo?**3. **What is the purpose of the sudoers file?**4. **How do you audit sudo commands?**5. **What are the security implications of NOPASSWD?**6. **Explain the sudo timestamp timeout**
---
## Summary
This chapter covered:- ✅ sudo vs su difference- ✅ Basic sudo configuration- ✅ /etc/sudoers syntax- ✅ Arch Linux sudo setup- ✅ Privilege escalation commands- ✅ Security best practices
---
## Next Chapter
[Chapter 10: PAM and Authentication](./10_pam_authentication.md)
---
*Last Updated: February 2026*