0

I have a CentOS 7 server on AWS.

When logged in with the centos user, how can I prevent sudo -s logging in to root without requiring root's password?

[root@server ~]# cat /etc/sudoers | grep rootpw
Defaults rootpw
[root@server ~]# getent group wheel
wheel:x:10:centos
[root@server ~]# gpasswd -d centos wheel
Removing user centos from group wheel
[root@server ~]# getent group wheel
wheel:x:10:
[root@server ~]# su centos
[centos@server root]$ sudo -s
[root@server ~]# !!!!!!!!!!!!!!!!
Nuno
  • 553
  • 2
  • 8
  • 26
  • If you want them to have to know roots password instead of their own, then use su instead of sudo. – NiKiZe Oct 24 '21 at 09:27
  • @NiKiZe - so if I have a window at my home that doesn't close, and want to prevent intruders from entering my house, what I do is tell them to use the door, which is locked, rather than fixing the broken window? I want to prevent `sudo -s` from allowing to be root without requiring root's password! – Nuno Oct 24 '21 at 09:40
  • Then don't allow sudo at all. – NiKiZe Oct 24 '21 at 10:00

2 Answers2

4

sudo always uses the user account's password. If user has sudo privileges, then the user can execute commands as root, after entering his own password in the sudo prompt.

In your example, you are seeing the effects of sudo ticket validity period. Once sudo is run for the first time, it asks for a password. After that, it creates a ticket that is valid for a certain time. During this time, sudo does not ask for password.

If you want to change this behavior, you can disable the ticket by adding

Defaults     timestamp_timeout=0

to /etc/sudoers configuration file.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
  • Thank you. I edited `/etc/sudoers` to add `Defaults timestamp_timeout=0`, and tried the `sudo -s` command again as yesterday, and still the same. This only happens with the `centos` user. Other users are asked for the `root` password. – Nuno Oct 24 '21 at 14:18
  • Then it is likely due to the fact that you are first root, then using `su` to change user and then `sudo`ing. Maybe some user status is remembered after `su`. – Tero Kilkanen Oct 24 '21 at 19:45
  • Doesn't happen with other users, though. Only `centos`. Also, if I go directly from AWS's shell (which logs in directly to `centos`, the same happens. – Nuno Oct 24 '21 at 20:27
0

Found the reason.

The problem is in /etc/sudoers.d/90-cloud-init-users:

centos ALL=(ALL) NOPASSWD:ALL

This allows the user centos sudo without password.

Nuno
  • 553
  • 2
  • 8
  • 26