The translation is temporarily closed for contributions due to maintenance, please come back later.
English Sinhala
There are several potential risks to keep in mind when using the [command]#sudo# command. You can avoid them by editing the `/etc/sudoers` configuration file using [command]#visudo# as described above. Leaving the `/etc/sudoers` file in its default state gives every user in the `wheel` group unlimited `root` access.
By default, [command]#sudo# stores the sudoer's password for a five minute timeout period. Any subsequent uses of the command during this period will not prompt the user for a password. This could be exploited by an attacker if the user leaves their workstation unattended and unlocked while still being logged in. This behavior can be changed by adding the following line to the `/etc/sudoers` file:
Defaults timestamp_timeout=pass:quotes[_value_]
where _value_ is the desired timeout length in minutes. Setting the _value_ to 0 causes [command]#sudo# to require a password every time.
If a sudoer's account is compromised, an attacker can use [command]#sudo# to open a new shell with administrative privileges:
[command]#sudo /bin/bash#
Opening a new shell as `root` in this or similar fashion gives the attacker administrative access for a theoretically unlimited amount of time, bypassing the timeout period specified in the `/etc/sudoers` file and never requiring the attacker to input a password for [command]#sudo# again until the newly opened session is closed.
Additional Resources
While programs allowing users to gain administrative privileges are a potential security risk, security itself is beyond the scope of this particular book. You should therefore refer to the resources listed below for more information regarding security and privileged access.
Installed Documentation
`su`(1) — The manual page for [command]#su# provides information regarding the options available with this command.
`sudo`(8) — The manual page for [command]#sudo# includes a detailed description of this command and lists options available for customizing its behavior.
`pam`(8) — The manual page describing the use of Pluggable Authentication Modules (PAM) for Linux.
Online Documentation
The link:++[Red{nbsp}Hat Enterprise{nbsp}Linux{nbsp}7 Security Guide] provides a more in-depth look at potential security issues pertaining to setuid programs as well as techniques used to alleviate these risks.
See Also
xref:Managing_Users_and_Groups.adoc#ch-Managing_Users_and_Groups[Managing Users and Groups] documents how to manage system users and groups in the graphical user interface and on the command line.