Home / server / Questions / 1081517
In Process
Nuno
Asked: 2021-10-24 17:59:09 +0800 CST

Require root password when executing "sudo -s"

  • 772

I have a CentOS 7 server on AWS.

When logged in with the centos user, how can I prevent sudo -s logging in to root without requiring root's password?

[root@server ~]# cat /etc/sudoers | grep rootpw
Defaults rootpw
[root@server ~]# getent group wheel
wheel:x:10:centos
[root@server ~]# gpasswd -d centos wheel
Removing user centos from group wheel
[root@server ~]# getent group wheel
wheel:x:10:
[root@server ~]# su centos
[centos@server root]$ sudo -s
[root@server ~]# !!!!!!!!!!!!!!!!
centos security ssh sudo centos7

2 Answers

  1. sudo always uses the user account's password. If user has sudo privileges, then the user can execute commands as root, after entering his own password in the sudo prompt.

    In your example, you are seeing the effects of sudo ticket validity period. Once sudo is run for the first time, it asks for a password. After that, it creates a ticket that is valid for a certain time. During this time, sudo does not ask for password.

    If you want to change this behavior, you can disable the ticket by adding

    Defaults     timestamp_timeout=0

    to /etc/sudoers configuration file.

    • 4

  2. Found the reason.

    The problem is in /etc/sudoers.d/90-cloud-init-users:

    centos ALL=(ALL) NOPASSWD:ALL

    This allows the user centos sudo without password.

    • 0