Sudo resume

  • Sudo is a program that allow an user to run a command as another user, usually superuser
  • sudo is not su, sudo requires user’s password
  • sudo activities are logged in systemd (journalctl)
  • By default sudo invocation rights last 5 minutes
  • openbsd has doas, windows as runas


Config file is located at /etc/sudoers. The tool visudo edits sudoers file in a safe manner: syntax check and locks


Host_Alias  SRV =,,
User_Alias  WEBADMIN = ankit, sam
Cmnd_Alias  HTTPD = /usr/bin/httpd, /usr/bin/mysql
Cmnd_Alias  REBOOT = /sbin/halt, /sbin/reboot, \
Runas_Alias OP = root, operator

Sudo assignation:

#user1   host = (user2) command
WEBADMIN SRV  = (OP)    HTTPD, REBOOT, !/sbin/halt
%wheel   ALL  = (ALL)   NOPASSWD: ALL

What accesss do we have?

$ sudo -l
User foobar may run the following commands on shine:
    (n0kt, root) /home/n0kt/talks/sudo-linux/


It allow us to audit and replay any sudo activity:

  • It has to be enabled in /etc/sudoers
  • Then we can play with sudo sudoreplay to explore sudo executions and outputs

~» sudo whoami

~» sudo sudoreplay -l user n0kt

~» sudo sudoreplay 00/00/02
Replaying sudo session: /bin/whoami

Sudo best practices

  • Default secure $PATH (so user don’t override it)
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"


Simple demo!


  • CVE-2021-3156 before 1.9.5p2 version:
sudo -s '\\' `perl -e 'print "A" x 65536'`
sudoedit -s '\' `perl -e 'print "A" x 65536'`

More information