Ubuntu Server 18.04 – Locking down sudo

How to install and use docker on ubuntu 18.04

We’ve been using the sudo command throughout the tutorial. In fact, we took a deeper look at it during Chapter 2, Managing Users. Therefore, I won’t go into too much detail regarding sudo here, but some things bear repeating as sudo has a direct impact on security.

First and foremost, access to sudo should be locked down as much as possible. A user with full sudo access is a threat, plain and simple. All it would take is for someone with full sudo access to make a single mistake with the rm command to cause you to lose data or render your entire server useless. After all, a user with full sudo access can do anything root can do (which is everything).

By default, the user you’ve created during installation will be made a member of the sudo group. Members of this group have full access to the sudo command. Therefore, you shouldn’t make any users a member of this group unless you absolutely have to. In Chapter 2 , Managing Users, I talked about how to control access to sudo with the visudo command; refer to that chapter for a refresher if you need it. In a nutshell, you can lock down access to sudo to specific commands, rather than allowing your users to do everything. For example, if a user needs access to shut down or reboot a server, you can give them access to perform those tasks (and only those tasks) with the following setting:

charlie    ALL=(ALL:ALL) /usr/sbin/reboot,/usr/sbin/shutdown
This line is configured via the visudo command, which we covered in Chapter 2, Managing Users.

For the most part, if a user needs access to sudo, just give them access to specific commands that are required as part of their job. If a user needs access to work with removable media, give them sudo access for the mount and umount commands. If they need to be able to install new software, give them access to the apt suite of commands, and so on. The fewer permissions you give a user, the better. This goes all the way back to the principle of least privilege that we went over near the beginning of this chapter.

Although most of the information in this section is not new to anyone who has already read Chapter 2, Managing Users, sudo access is one of those things a lot of people don’t think about when it comes to security. The sudo command with full access is equivalent to giving someone full access to the entire server. Therefore, it’s an important thing to keep in mind when it comes to hardening the security of your network.

Comments are closed.