Account Security Demo #3 (Sudo)
Start course

In this course, you'll learn about account security in Linux including pluggable authentication modules (PAM), password security, account access controls, and account types.

Learning Objectives

  • Learn about PAM and how to configure pluggable authentication modules
  • Understand the different types of accounts you'll find on a Linux system and the special precautions you need to take with each account type
  • Learn how to enforce good password security practices on your Linux systems
  • Learn how to make an account's password expire, how to expire an account itself, and how to lock and unlock accounts
  • Understand how to monitor log files and use intrusion detection systems
  • Learn about multi-factor authentication and how it can be implemented in Linux

Intended Audience

This course is intended for anyone who wants to understand how to secure their Linux systems.


To get the most out of this course, you should already have a good working knowledge of Linux. If you want to brush up on your Linux skills, consider taking our Learn Linux in 5 Days learning path first.


For this demo, I'm just going to go ahead and use the root account. First, let's run Visudo. You can see that it starts an editor in this case it's VI, let me go ahead and exit out of that. And you can specify the editor that you want to use by setting the editor environment variable. I'll go ahead and do that for mine. Set it to nano, and then run Visudo again. Now you can see that the nano editor was started. I'm gonna go ahead and switch back to VI since I'm more comfortable with that editor, exit out there, editor equals VI, run Visudo yet again. One big advantage to using Visudo instead of directly editing the file is that it performs syntax checking. I'm just gonna put some invalid data here at the top of the file, and then go ahead and save that file like I'm going to write and quit and exit this file. So as you can see, Visudo detected an error and then asks you what you want to do next. So, I'm just gonna hit the enter key right here to show the options. So at this point, you can either edit the file again, you can abandon your changes, or you can force save them. Now don't do that because you don't want an invalid Sudoers configuration. So I'm gonna go ahead and edit the file again. And I will take out this bad data that I put in there. I wanna exit this time, there's no error, so the syntax is correct for that file. Let me just fire this up one last time here. Now let's create a specification for a user named Bob. I'll just put this at the bottom of the file. And let's allow Bob to run the user bin yum command as the root user on all systems. And we'll go ahead and exit out a Sudo here, and then so let's look at what Bob is allowed to run. I'll clear the screen and run Sudo dash L, and I'll specify Bob with a dash capital U what user's configuration I wanna list. And there it's shows that Bob can run the user bin, yum command. I can also do a dash double L which more or less gives more verbose output. I'll do that here for Bob, and then it just puts it in a slightly different format, and it gives a little bit more information here. So now I'm gonna go ahead and switch to the Bob account. And if I was Bob and logged into this system I could run Sudo dash L as myself, and it will show me what I can do. I'll enter my password there. And again, you can see that Bob is allowed to run the yum command. So, let's install some software as Bob since that's what the yum command allows us to do. I'll run yum, install, and install this program called dstat, which I kinda like to monitor system activity. So it's downloading and installing. And so that command got executed as the root user. I'll go ahead and exit out of here. Let's create a file in etc sudoers.d, so to do this, I'll use Visudo dash F and specify Sudoers. Now let's allow Bob to run the who am I command as anyone on the system. Now you can see Bob can run yum as root, and who am I as anyone? So I'll switch to the Bob's account, when Bob runs who am I, it's says he's Bob. So let's use Sudo with the dash lowercase U means to run the following command as this user and I'm going to do that with a user Jason. So now when I execute that command, who am I? it says, you're Jason. All right, let's do this again. And let's run a command as the Apache user. And again, the who am I command returns to the effect of user, which is Apache because we use Sudo to effectively execute the command as the Apache user. So even though this may be a bit of a contrived example the point is that you can give permissions to one user to run commands as another user, and tightly control that access. Also, there's a clear audit trail, this system is configured to log Sudo messages into VAR log secure. Let's look at that file real quick. You can see exactly what user ran what command and it even tells you what directory they were in when they executed that command.

About the Author
Learning Paths

Jason is the founder of the Linux Training Academy as well as the author of "Linux for Beginners" and "Command Line Kung Fu." He has over 20 years of professional Linux experience, having worked for industry leaders such as Hewlett-Packard, Xerox, UPS, FireEye, and Nothing gives him more satisfaction than knowing he has helped thousands of IT professionals level up their careers through his many books and courses.