Using Sudo to Manage Administrators

The sudo command and capability (superuser do) can be a valuable tool when multiple users are responsible for managing parts of a server or servers. In particular, sudo is important when you need to restrain the use of ‘root’ and/or need to log all administrative actions and changes and would like a record of who did what.

My main preference for sudo is its expiring session (or ticket as GratiSoft calls it). Once switched into sudo for activity, the session expires after five minutes, or continues at five minute (can be modified) intervals as commands are executed. This allows for added security if an administrator leaves his or her workstation briefly as a root shell is not left open.

GratiSoft maintains an excellent web site on sudo (and sponsors the development of sudo) — (http://www.courtesan.com/sudo/sudo.html).

Through building a configuration file, a senior administrator can dole out system admin responsibilities through sudo, assigning what commands can be executed by username per host. In addition, being carried out in a multiple host environment, audit trail logging done on a centralized host as well as each systems localhost logs.

GratiSoft suggests correctly that one way to get more familiar with sudo is to review a sample configuration. They posted one such file here.

As sudo supports numerous platforms, this also works in mixed OS environments — see the supported platforms here.