Sudo
June 29, 2026 ยท View on GitHub
- Elevate to a Root Shell
- Configure Sudo
- Allow Users / Groups to Sudo
- Passwordless Sudo
- BioMetric Sudo
- Test Sudo
- Sudo Security
Elevate to root using the sudo command.
sudo <somecommand>
Elevate to a Root Shell
This is often frowned upon if you want every elevated command logged for strict auditing.
sudo su
For better auditing you need to enforce putting sudo in front of each individual command and disable any command that can do arbitrary elevated actions.
This is harder than it first seems.
The only really secure way to do this is with an explicit careful sudo command whitelist.
See some issues under the Sudo Security section below.
Configure Sudo
Configure which users and groups can sudo and to which commands by editing the /etc/sudoers file
(or sometimes /etc/sudoers.d/... include files).
Use the visudo command because it validates the changes before it allows saving them.
This command drop you into your $EDITOR if it's set (see IntelliJ page), or if not set then it'll open
/etc/sudoers in the classic vi editor.
sudo visudo
If you want to add to another file under /etc/sudoers.d/ then:
sudo visudo -f /etc/sudoers.d/hari
If you create a new file under /etc/sudoers.d/ (which gets automatically sourced by /etc/sudoers),
then ensure you set correct permissions:
sudo chmod 440 /etc/sudoers.d/hari
For details on all configuration options, read the sudoers man page:
man sudoers
Allow Users / Groups to Sudo
Allow a user to sudo by adding this line to /etc/sudoers or a file under /etc/sudoers.d/:
hari ALL = (ALL) ALL
For a group, prefix the group name with a percent sign, eg. this is set by default on Macs:
%admins ALL = (ALL) ALL
Which means you could also just add users to that group instead of modifying the /etc/sudoers.
Passwordless Sudo
To allow your user to use sudo without having to enter their password every 5 minutes, set the line to:
hari ALL = (ALL) NOPASSWD: ALL
Ensure the above line comes after the following line found by default on macOS:
%admin ALL = (ALL) ALL
as this %admin line requires a password for all members of the admin group which you will be in on your macOS.
BioMetric Sudo
On Mac you can enable using Touch ID fingerprint authorization of sudo.
Create a file called /etc/pam.d/sudo_local with contents:
auth sufficient pam_tid.so
This file is automatically sourced by /etc/pam.d/sudo and survives upgrades.
Command to create this file if it doesn't already exist:
sudo sh -c '[ -f /etc/pam.d/sudo_local ] || echo "auth sufficient pam_tid.so" >> /etc/pam.d/sudo_local'
Test Sudo
First clear sudo cached credential:
sudo -k
Then try a basic command which should return successfully without a password prompt.
sudo echo success
To test Passwordless Sudo while disallowing a password prompt you can use the -n switch.
You cannot use this to test BioMetric Sudo because it suppresses the GUI pop-up prompt for fingerprint ID.
sudo -n echo success
Sudo Security
Dangerous Commands Which Can Escape to Elevated Shells
Any of the following commands if allowed to sudo can bypass elevated shell restrictions:
susudo -i/sudo -svisudo- could rewrite/etc/sudoers- shells
- scripts
- pagers -
man,more,lesscan run!sh - compilers & interpreters (eg. Python, Perl, Ruby etc.),
- IDEs and Editors (IntelliJ,
viandemacscan run shells inside them).
Sudo Path Vulnerability
You need to restrict the $PATH, in /etc/sudoers
Defaults restricted_envs += "PATH"
Defaults env_reset
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Sudo File Path Disallow Vulnerability
Using disallowed paths is easily bypassed by just changing the path eg:
sudo cp /bin/sh "$HOME"/
sudo "$HOME/sh
Sudo Path Write Vulnerability
The sudo allowed paths must not be writable or replaceable using even a sudo command.
This is in itself hard to strict since any command which can write file contents or modify directory contents (two separate permissions) can replace the contents of a whitelisted path binary or script with hostile contents to gain full root shell elevation.