Score:0

Server

Require root password when executing "sudo -s"

Nuno

2/24/23, 1:59 AM

I have a CentOS 7 server on AWS.

When logged in with the centos user, how can I prevent sudo -s logging in to root without requiring root's password?

[root@server ~]# cat /etc/sudoers | grep rootpw
Defaults rootpw
[root@server ~]# getent group wheel
wheel:x:10:centos
[root@server ~]# gpasswd -d centos wheel
Removing user centos from group wheel
[root@server ~]# getent group wheel
wheel:x:10:
[root@server ~]# su centos
[centos@server root]$ sudo -s
[root@server ~]# !!!!!!!!!!!!!!!!

105

0 + 0

security

ssh

centos

sudo

centos7

NiKiZe

2/24/23, 9:27 AM

If you want them to have to know roots password instead of their own, then use su instead of sudo.

Nuno

2/24/23, 9:40 AM

@NiKiZe - so if I have a window at my home that doesn't close, and want to prevent intruders from entering my house, what I do is tell them to use the door, which is locked, rather than fixing the broken window? I want to prevent `sudo -s` from allowing to be root without requiring root's password!

NiKiZe

2/24/23, 10:00 AM

Then don't allow sudo at all.

Score:4

Server

Tero Kilkanen

2/24/23, 7:16 AM

sudo always uses the user account's password. If user has sudo privileges, then the user can execute commands as root, after entering his own password in the sudo prompt.

In your example, you are seeing the effects of sudo ticket validity period. Once sudo is run for the first time, it asks for a password. After that, it creates a ticket that is valid for a certain time. During this time, sudo does not ask for password.

If you want to change this behavior, you can disable the ticket by adding

Defaults     timestamp_timeout=0

to /etc/sudoers configuration file.

0 + 0

Nuno

2/24/23, 2:18 PM

Thank you. I edited `/etc/sudoers` to add `Defaults timestamp_timeout=0`, and tried the `sudo -s` command again as yesterday, and still the same. This only happens with the `centos` user. Other users are asked for the `root` password.

Tero Kilkanen

2/24/23, 7:45 PM

Then it is likely due to the fact that you are first root, then using `su` to change user and then `sudo`ing. Maybe some user status is remembered after `su`.

Nuno

2/24/23, 8:27 PM

Doesn't happen with other users, though. Only `centos`. Also, if I go directly from AWS's shell (which logs in directly to `centos`, the same happens.

Score:0

Server

Nuno

2/24/23, 8:31 PM

Found the reason.

The problem is in /etc/sudoers.d/90-cloud-init-users:

centos ALL=(ALL) NOPASSWD:ALL

This allows the user centos sudo without password.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Require root password when executing "sudo -s"

TH: ต้องใช้รหัสผ่านรูทเมื่อดำเนินการ "sudo -s"

RO: Necesită parola de root când executați „sudo -s”

RU: Требовать пароль root при выполнении «sudo -s»

VI: Yêu cầu mật khẩu gốc khi thực hiện "sudo -s"

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.