Adding spice to your sudo session with a lecture file on Linux or Unix


Despite some severe bugs in sudo, it remains the defacto tool to gain root shell or run command as another user on Linux, macOS, and Unix-like systems. The sudo command allows the system administrator to grant an individual user access to unprivileged commands. For instance, I can give developers the ability to restart the Apache webserver or PHP/Python process on a Linux server. Let us see how to remind developers and unprivileged users about the power of sudo for fun and profit. In this quick tip, I will show you how to add some spice to your sudo session with a lecture file on Linux or Unix.

Adding spice to your sudo session with a lecture file on Linux or Unix

Every seasoned Unix sysadmin knows the sudo command needs to be used with great caution. Hence sudo has the option to give a message using lecture.

How to force sudo to give a lecture every time our users use it

Edit the config file, run the following command:
sudo visudo
Append the following line after the initial options to make sudo to start the lecture every time a user uses sudo:

Defaults        lecture=always

The above option controls when a short lecture will be printed along with the password prompt. It has the following possible values:

  1. always : Always lecture the user.
  2. never : Never lecture the user.
  3. once : Only lecture the user the first time they run sudo.

Save and close the file. Let us invalidates the user’s cached credentials and test it:

sudo -k
## or ##
sudo --reset-timestamp
Β 
## Try to gain root shell  ##
sudo -i

Now our Unix developers and other Linux users will get a boring lecture:

Lovely, right? But wait, there is more. We can change this message and make it more friendly. Again safely edit the sudoers file by typing the following command:
sudo visudo
Append another config option:

Defaults       lecture_file=/etc/sudo_lecture.txt

Save and close the file when using vi or vim. Here is the config file for your reference displayed using the cat command:
sudo cat /etc/sudoers

Creating /etc/sudo_lecture.txt

Run:
sudo vim /etc/sudo_lecture.txt
Append stuff (download sudo_lecture.txt file to avoid printing garbish on screen):

Β 
Β 
Β 
     ^[[00;31m
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                                          β”‚
β”‚ mmmm                                     β”‚
β”‚ #   "m  mmm   m mm    mmmm   mmm    m mm β”‚
β”‚ #    # "   #  #"  #  #" "#  #"  #   #"  "β”‚
β”‚ #    # m"""#  #   #  #   #  #""""   #    β”‚
β”‚ #mmm"  "mm"#  #   #  "#m"#  "#mm"   #    β”‚
β”‚                       m  #               β”‚
β”‚                        ""                β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
^[[0m
Β 
Please be cautious while using sudo as you could end up damaging the system.

Our fancy sudo warning or lecture is here:

Let us use the toilet command:
sudo sh -c 'toilet -f bubble --metal "Be careful with sudo" > /etc/sudo_lecture.txt'
sudo -k
sudo -i

Groot prompt so spice up to your sudo session

Try groot prompt (download the groot.txt file using curl command or wget to avoid printing escape characters on screen):

     ^[[00;32m  \^V//
     ^[[00;33m  |^[[01;37m. ^[[01;37m.^[[00;33m|   ^[[01;34m I AM (G)ROOT!
     ^[[00;32m- ^[[00;33m\ - / ^[[00;32m_
     ^[[00;33m \_| |_/
     ^[[00;33m   \ \
     ^[[00;31m __^[[00;33m/^[[00;31m_^[[00;33m/^[[00;31m__
     ^[[00;31m|_______|  ^[[00;37m With great power comes great responsibility.
     ^[[00;31m \     /   ^[[00;37m Use sudo wisely.
     ^[[00;31m  \___/
^[[0m

Conclusion

The lecture_file is a cool idea when combined with ANSI escape code for colors and other CLI utilities such as toilet and figlet. The credit for the spying up sudo with Groot goes to Chris.


🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 6 comments so far... add one ↓

CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall β€’ CentOS 8 β€’ OpenSUSE β€’ RHEL 8 β€’ Ubuntu 16.04 β€’ Ubuntu 18.04 β€’ Ubuntu 20.04
Network Utilitiesdig β€’ host β€’ ip β€’ nmap
OpenVPNCentOS 7 β€’ CentOS 8 β€’ Debian 10 β€’ Debian 8/9 β€’ Ubuntu 18.04 β€’ Ubuntu 20.04
Package Managerapk β€’ apt
Processes Managementbg β€’ chroot β€’ cron β€’ disown β€’ fg β€’ jobs β€’ killall β€’ kill β€’ pidof β€’ pstree β€’ pwdx β€’ time
Searchinggrep β€’ whereis β€’ which
User Informationgroups β€’ id β€’ lastcomm β€’ last β€’ lid/libuser-lid β€’ logname β€’ members β€’ users β€’ whoami β€’ who β€’ w
WireGuard VPNAlpine β€’ CentOS 8 β€’ Debian 10 β€’ Firewall β€’ Ubuntu 20.04
6 comments… add one
  • aamst Feb 14, 2021 @ 18:17

    nice!

  • Ron Feb 14, 2021 @ 19:28

    Hi,

    when I try the groot out, it prints the color codes the terminal instead of changing the colors.
    I am using bash.
    Is there something I need to put in the global bashrc to activate the colors?

  • Colin McDermott Feb 14, 2021 @ 21:25

    Good to see.

    My improvements:
    A reminder of which host you are on. The number of times I have seen people run the right command on the wrong system is far too many.

  • Logan Feb 15, 2021 @ 3:15

    For bonus points, save a handful of different lecture files and use a chron job to rotate them out on a schedule (hourly, daily, etc)
    After the first few times, any lecture becomes easily ignored noise. But a memorable one that changes visually each hour might just get read!
    Also on the practical side, printing a link to org policy/guidance on sudo use and contact info for the team in charge of fixing whatever they break while using sudo can’t hurt.

  • Zeppelin Feb 15, 2021 @ 10:17

    Excellent tip from Vivek. I had no idea about the featureπŸ€“

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @ webmaster@cyberciti.biz