Stage 3 · Build
Users, Permissions & Processes
sudo & PAM Basics
sudoers rules, visudo validation, PAM stacks, and authentication module ordering.
sudo Basics
# Run command as root
sudo command
# Run as different user
sudo -u postgres psql
# Run a shell
sudo -i # Login shell (loads target user's environment)
sudo -s # Interactive shell (keeps current environment)
# Check sudo privileges
sudo -l
# User username may run the following commands on this host:
# (ALL : ALL) ALL
# (ALL) NOPASSWD: /usr/bin/systemctl restart nginx
# Check sudo timestamp
sudo -v
# timestamp_timeout=5 (minutes)sudo grants temporary privilege escalation. The timestamp cache means you don't need to re-enter your password for each command.
sudoers Syntax
# ALWAYS use visudo to edit sudoers
sudo visudo
# Basic format:
# user host=(runas) commands
# Allow user to run anything
username ALL=(ALL:ALL) ALL
# Allow without password
username ALL=(ALL) NOPASSWD: ALL
# Allow specific commands
username ALL=(ALL) /usr/bin/systemctl restart nginx, /usr/bin/journalctl
# Allow group
%wheel ALL=(ALL) ALL
%docker ALL=(ALL) NOPASSWD: /usr/bin/docker
# Command aliases
Cmnd_Alias SERVICES = /usr/bin/systemctl restart *, /usr/bin/systemctl start *, /usr/bin/systemctl stop *
Cmnd_Alias LOGS = /usr/bin/journalctl, /usr/bin/cat /var/log/*
username ALL=(ALL) SERVICES, LOGS
# Defaults
Defaults timestamp_timeout=10
Defaults passwd_tries=3
Defaults insults
Defaults logfile="/var/log/sudo.log"
Defaults log_input, log_outputAlways use visudo to edit sudoers — it validates syntax before saving. A syntax error in sudoers can lock you out of root access.
sudo Security
# Limit sudo to specific commands
username ALL=(ALL) /usr/bin/systemctl restart nginx
# Require password every time (no caching)
Defaults timestamp_timeout=0
# Log all sudo commands
Defaults logfile="/var/log/sudo.log"
Defaults log_input, log_output
# Require TTY for sudo
Defaults requiretty
# Use sudo with a specific group
%sudo ALL=(ALL:ALL) ALL
# Deny specific commands
username ALL=(ALL) ALL, !/usr/bin/su, !/usr/bin/passwd root
# Check sudo log
sudo cat /var/log/sudo.log
# Jan 15 10:30:00 server sudo: username : TTY=pts/0 ; PWD=/home/username ; USER=root ; COMMAND=/bin/systemctl restart nginxNever give ALL to untrusted users. Restrict sudo to specific commands. Enable logging for audit trails.
PAM Overview
PAM (Pluggable Authentication Modules) provides a framework for authentication. It separates the application from the authentication mechanism, allowing flexible authentication policies.
| PAM Type | Purpose | Config Location |
|---|---|---|
| auth | Verify identity (password, biometric) | /etc/pam.d/login |
| account | Account validity (expiry, access) | /etc/pam.d/login |
| password | Password changes | /etc/pam.d/passwd |
| session | Session setup/teardown (logging, mounts) | /etc/pam.d/login |
PAM Stacks
# PAM configuration file
cat /etc/pam.d/sudo
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so nullok
auth required pam_deny.so
account required pam_unix.so
password required pam_unix.so
session required pam_limits.so
# Module flags:
# required — Must succeed (failure recorded but continue)
# sufficient — If succeeds, no more modules needed
# optional — Success or failure has no effect
# requisite — Must succeed (failure returns immediately)
# include — Include another PAM config file
# Common modules
# pam_unix.so — Traditional password authentication
# pam_ldap.so — LDAP authentication
# pam_google_authenticator.so — TOTP 2FA
# pam_faillock.so — Lock after failed attempts
# pam_limits.so — Resource limitsPAM processes modules in order. required means 'must succeed' but continues checking other modules. sufficient means 'if this succeeds, skip the rest'.
PAM Configuration
# Account lockout after failed attempts
# /etc/pam.d/common-auth
auth required pam_faillock.so preauth deny=5 unlock_time=900
auth required pam_faillock.so authfail deny=5 unlock_time=900
# Check lockout status
sudo faillock --user username
# Faillock count: 3
# Faillock until: 2024-01-15 10:45:00
# Reset lockout
sudo faillock --user username --reset
# Password quality
# /etc/pam.d/common-password
password requisite pam_pwquality.so retry=3 minlen=12
# Configure password quality
cat /etc/security/pwquality.conf
# minlen = 12
# dcredit = -1 (at least 1 digit)
# ucredit = -1 (at least 1 uppercase)
# lcredit = -1 (at least 1 lowercase)
# ocredit = -1 (at least 1 special character)
# Enable 2FA with Google Authenticator
auth required pam_google_authenticator.so nullokPAM provides account lockout, password quality, and 2FA. Configure these in /etc/pam.d/ for system-wide authentication policy.
visudo validates sudoers syntax before saving. A syntax error can lock you out of root access. Always use visudo, not a text editor directly.
The order of PAM modules determines authentication behavior. A 'required' module at the beginning does not block execution — it records the failure and continues. Only 'requisite' returns immediately.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.