Elevating privileges with sudo

• This how-to helps improve security with sudo when using command-line interface.
• Log in as an unprivileged user and use sudo to run commands with elevated privileges.

• Drop user privileges by default.
• Elevate user privileges on demand.

Install the required packages.

# Install packages
opkg update
opkg install shadow-useradd shadow-usermod shadow-groupadd sudo

Create an unprivileged test user and set him a password.

# Create a user
useradd -m -s /bin/ash test
 
# Set user password
passwd test

Create a privileged group and make the test user its member.

# Create system group
groupadd -r sudo
 
# Add user to group
usermod -a -G sudo test

Grant root privileges to the group when using sudo.

# Configure sudoers
cat << EOF > /etc/sudoers.d/00-custom
%sudo ALL=(ALL) ALL
EOF

Log in as an unprivileged user. Elevate privileges for a specific command.

sudo -i -u test
id
sudo id

Collect and analyze the following information.

id test
ls -l /etc/sudoers /etc/sudoers.d/*
grep -v -e "^#" -e "^$" /etc/sudoers /etc/sudoers.d/*

• useradd
• usermod
• groupadd
• passwd
• sudo
• visudo

Add the user by hand using a unique UID and GID.

# Edit configs
vi /etc/passwd
vi /etc/group
vi /etc/shadow
 
# Create home directory
mkdir -p /home/test
 
# Set permissions
chown test:test /home/test
 
# Set user password
passwd test

Check the resulting configs.

# Check configs
> grep -e test /etc/passwd /etc/group /etc/shadow
/etc/passwd:test:x:1000:1000::/home/test:/bin/ash
/etc/group:test:!:1000:
/etc/shadow:test:$1$uPzGJ3jI$n7ld4E73SPsIx0QTXPMfu1:19615:0:99999:7:::

Install the required packages. Remove the user and group.

# Install packages
opkg update
opkg install shadow-userdel shadow-groupdel
 
# Remove user and group
userdel test
groupdel sudo