Introduction

The /etc/sudoers file and /etc/sudoers.d/ directory control which users can execute commands as root or other users. An attacker who gains initial access often modifies sudoers to grant themselves persistent root access, creating a backdoor that survives password changes and service restarts. Unauthorized sudoers entries may grant full root access (NOPASSWD: ALL) or specific dangerous capabilities (file write, shell execution) that can be leveraged for full privilege escalation.

Symptoms

  • Unknown entries in /etc/sudoers or /etc/sudoers.d/
  • User account with unexpected sudo privileges
  • sudo -l shows permissions the user should not have
  • File integrity monitoring alerts on /etc/sudoers changes
  • Audit log shows sudoers file modification by an unauthorized process

Common Causes

  • Initial access through vulnerable web application followed by privilege escalation
  • Compromised administrator account adding a backdoor
  • Malware or rootkit modifying system configuration
  • Misconfigured deployment script adding overly broad sudo rules
  • Shared credentials allowing unauthorized configuration changes

Step-by-Step Fix

  1. 1.Audit the current sudoers configuration:
  2. 2.```bash
  3. 3.# Check main sudoers file
  4. 4.sudo cat /etc/sudoers
  5. 5.# Check included directories
  6. 6.sudo ls -la /etc/sudoers.d/
  7. 7.sudo cat /etc/sudoers.d/*
  8. 8.# Validate syntax
  9. 9.sudo visudo -c
  10. 10.`
  11. 11.Identify unauthorized entries:
  12. 12.```bash
  13. 13.# Check sudoers file modification time
  14. 14.stat /etc/sudoers
  15. 15.ls -la /etc/sudoers.d/
  16. 16.# Check audit log for sudoers modifications
  17. 17.sudo ausearch -f /etc/sudoers -ts recent
  18. 18.sudo grep "sudoers" /var/log/auth.log | tail -20
  19. 19.# Check git history if /etc is tracked
  20. 20.sudo git -C /etc log -- sudoers 2>/dev/null
  21. 21.`
  22. 22.Remove unauthorized entries:
  23. 23.```bash
  24. 24.# Edit sudoers safely with visudo (never use nano directly)
  25. 25.sudo visudo
  26. 26.# Remove the unauthorized line, save and exit
  27. 27.# visudo will validate syntax before saving

# Remove unauthorized files in sudoers.d sudo rm /etc/sudoers.d/unauthorized-file # Verify sudo visudo -c ```

  1. 1.Check for other privilege escalation mechanisms:
  2. 2.```bash
  3. 3.# Check for SUID binaries
  4. 4.sudo find / -perm -4000 -type f 2>/dev/null | grep -v "/usr/"

# Check for cron jobs running as root sudo crontab -l sudo ls -la /etc/cron.d/

# Check for capabilities set on unusual binaries getcap -r / 2>/dev/null

# Check for unauthorized SSH keys sudo cat /root/.ssh/authorized_keys ```

  1. 1.Revoke access for compromised accounts:
  2. 2.```bash
  3. 3.# Lock the compromised user account
  4. 4.sudo usermod -L compromised_user
  5. 5.sudo usermod -s /usr/sbin/nologin compromised_user
  6. 6.# Remove from sudo group if applicable
  7. 7.sudo gpasswd -d compromised_user sudo
  8. 8.`
  9. 9.Harden sudo configuration:
  10. 10.```bash
  11. 11.sudo visudo
  12. 12.# Add these security settings:
  13. 13.Defaults logfile="/var/log/sudo.log"
  14. 14.Defaults log_input,log_output
  15. 15.Defaults passwd_tries=3
  16. 16.Defaults timestamp_timeout=5
  17. 17.Defaults requiretty
  18. 18.# Restrict specific commands instead of ALL
  19. 19.# username ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart myapp
  20. 20.`

Prevention

  • Enable audit logging for /etc/sudoers file changes
  • Use file integrity monitoring (AIDE, Tripwire) on sudoers files
  • Implement the principle of least privilege - grant specific commands, not ALL
  • Use centralized identity management (LDAP, Active Directory) for sudo policy
  • Regularly audit sudoers configurations and user privileges
  • Implement just-in-time privilege escalation with time-limited access