Sudo

June 29, 2026 ยท View on GitHub

Elevate to root using the sudo command.

sudo <somecommand>

Elevate to a Root Shell

This is often frowned upon if you want every elevated command logged for strict auditing.

sudo su

For better auditing you need to enforce putting sudo in front of each individual command and disable any command that can do arbitrary elevated actions.

This is harder than it first seems.

The only really secure way to do this is with an explicit careful sudo command whitelist.

See some issues under the Sudo Security section below.

Configure Sudo

Configure which users and groups can sudo and to which commands by editing the /etc/sudoers file (or sometimes /etc/sudoers.d/... include files).

Use the visudo command because it validates the changes before it allows saving them.

This command drop you into your $EDITOR if it's set (see IntelliJ page), or if not set then it'll open /etc/sudoers in the classic vi editor.

sudo visudo

If you want to add to another file under /etc/sudoers.d/ then:

sudo visudo -f /etc/sudoers.d/hari

If you create a new file under /etc/sudoers.d/ (which gets automatically sourced by /etc/sudoers), then ensure you set correct permissions:

sudo chmod 440 /etc/sudoers.d/hari

For details on all configuration options, read the sudoers man page:

man sudoers

Allow Users / Groups to Sudo

Allow a user to sudo by adding this line to /etc/sudoers or a file under /etc/sudoers.d/:

hari        ALL = (ALL) ALL

For a group, prefix the group name with a percent sign, eg. this is set by default on Macs:

%admins   ALL = (ALL) ALL

Which means you could also just add users to that group instead of modifying the /etc/sudoers.

Passwordless Sudo

To allow your user to use sudo without having to enter their password every 5 minutes, set the line to:

hari        ALL = (ALL) NOPASSWD: ALL

Ensure the above line comes after the following line found by default on macOS:

%admin      ALL = (ALL) ALL

as this %admin line requires a password for all members of the admin group which you will be in on your macOS.

BioMetric Sudo

On Mac you can enable using Touch ID fingerprint authorization of sudo.

Create a file called /etc/pam.d/sudo_local with contents:

auth    sufficient    pam_tid.so

This file is automatically sourced by /etc/pam.d/sudo and survives upgrades.

Command to create this file if it doesn't already exist:

sudo sh -c '[ -f /etc/pam.d/sudo_local ] || echo "auth sufficient pam_tid.so" >> /etc/pam.d/sudo_local'

Test Sudo

First clear sudo cached credential:

sudo -k

Then try a basic command which should return successfully without a password prompt.

sudo echo success

To test Passwordless Sudo while disallowing a password prompt you can use the -n switch.

You cannot use this to test BioMetric Sudo because it suppresses the GUI pop-up prompt for fingerprint ID.

sudo -n echo success

Sudo Security

Dangerous Commands Which Can Escape to Elevated Shells

Any of the following commands if allowed to sudo can bypass elevated shell restrictions:

  • su
  • sudo -i / sudo -s
  • visudo - could rewrite /etc/sudoers
  • shells
  • scripts
  • pagers - man, more, less can run !sh
  • compilers & interpreters (eg. Python, Perl, Ruby etc.),
  • IDEs and Editors (IntelliJ, viand emacs can run shells inside them).

Sudo Path Vulnerability

You need to restrict the $PATH, in /etc/sudoers

Defaults restricted_envs += "PATH"
Defaults env_reset
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

Sudo File Path Disallow Vulnerability

Using disallowed paths is easily bypassed by just changing the path eg:

sudo cp /bin/sh "$HOME"/
sudo "$HOME/sh

Sudo Path Write Vulnerability

The sudo allowed paths must not be writable or replaceable using even a sudo command.

This is in itself hard to strict since any command which can write file contents or modify directory contents (two separate permissions) can replace the contents of a whitelisted path binary or script with hostile contents to gain full root shell elevation.