After talk Q&A

After I finish a talk on sudo at a conference, I usually receive quite a few questions. Many of the answers I gave earlier were already included in the latest version of my sudo talk. The following is a collection of questions and answers from different conferences.

How can I change the insults (the funny messages displayed when someone enters the wrong password) of sudo?

Right now the insult messages are hard-coded. There are plans to use an external file for them, but obviously this change is not high on the TODO list.

Can I use sudo when LDAP is off-line?

Local settings are not cached when you store your configuration in LDAP. This means that sudo will not work in this case.

Can I collect session recordings centrally?

Right now there is no support for storing session recordings centrally. You can mount remote directories and store recordings there, but that still gives write access to the local machine and thus recordings can be deleted by a user. The upcoming 1.9 version of sudo will feature a Recording Service, where sudo can stream sessions in real-time.

Are there any scripts to generate digests of applications for the sudoers file?

The short answer is: No. The list of commands, hosts, users and so on is site specific. But it is not really difficult to create those hashes even from the Bash command line. For example, to generate digests for all applications in the /usr/sbin directory and allow user “peter” to run them on any host, you can use the following one-liner:

for i in /usr/sbin/* ; do echo "peter ALL = sha224:"`sha224sum $i` ; done

Is there an easy way to install two different versions of sudo in parallel?

No, sudo is not a single file but a group of applications and configuration files. On the other hand, on any modern hardware you can bring up a virtual machine in a matter of minutes and you have a clean environment ready for testing a different version of sudo.

Is there a use case to use sudo to change to other user than root?

Actually there are quite a lot: database servers, mailing list servers, printing services and many others run under their own user names and expect at least some of the commands executed using these user names.

How can I install a recent version of sudo on an older system?

  • If you use one of the more popular Linux distributions or UNIX variants there is a good chance, that a pre-compiled binary already exists for it on the sudo website.
  • If your system is not listed there then you should compile sudo yourself.
  • If sudo is packaged for your system, you might be able to re-use that for an updated package. Or simply compile sudo from source. Instructions for building from source are included in the source code.

If you would like to be notified about new posts and sudo news, sign up for the sudo blog announcement mailing list.