U2F instead of password for “sudo mode”?

Some apps (Github being the most prominent IMHO) allow using U2F token as a means of validation for “sudo mode” (potentially dangerous actions in UI like creating a new token) instead of password.

Intuitively it seems not very safe as a stolen device will most probably still contain the U2F token. Am I missing something that makes it safe enough?

Exectuting sudo command in one line within a non-tty shell

I have access to a server via RCE over http, I can send post requests to the server which results in command execution. I am attempting to escalate privileges via sudo (su is not installed).

The server is heavily firewalled and there are no writeable directories/files within the web application.

My objective is to experiment with the sudo command to escalate privileges but because the command execution is not TTY; I am unable to execute the sudo command.

Is it possible to execute a command like sudo -S in a non-TTY shell?

Maybe using python’s pty module to spawn /bin/bash or /bin/sh, but what about a method to just execute a single binary with some parameters passed to it like sudo -S <command> within/as a TTY shell?

To summarize: Is there a way to run sudo in a single line in a non-TTY shell?

For example I am trying to run sudo with these parameters:

echo <password> | sudo -S id

Does sudo ever de-escalate privilege while the program/command/service is running?

For Example

Is it safer to do:

  1. $ sudo [cmd] [args] [enter user password]

or

  1. $   su - [enter root password] # [cmd] [args]   

I always assumed they are the exact same thing, because sudo utilizes setuid-root, so the process that is run as sudo’s first arg is run with the sudo’s effective ID, which is root.

my question is: Does sudo ever eventually drops its effective ID to the normal user’s? Then in that case, number 1 above would be a safer bet, because IF the program/service that sudo is running with is compromised by an attacker, then there is a chance that the attacker is not running as root, because the privilege has already been dropped (kind of like a race condition)? But compare to the number 2, then any program compromised while running as root is detrimental.

Changing VPS username ‘Root’ to a sudo

I have recently had issues with my VPS host and them constantly asking for my password through insecure portal and then sending it via insecure email. I then asked them about changing the root username to a sudo via SSH and they have actively discouraged me. I am questioning their security and considering re-hosting. So I have a few questions.

  1. Is changing to a sudo a good idea?
  2. Any recommended hosts that actually take security seriously?
  3. Same who will move everything for me? Any ideas on who will help? Just so all theDNS stacks up and the SSL certificate works from off the bat.

Thanks everyone.. Andy

How can one tell if a binary is safe to give sudo permissions for to an untrusted user?

sudo is sometimes used to give untrusted or “semi-trusted” users the ability to perform certain tasks as root, while not giving them unlimited root access. This is usually done via an entry into /etc/sudoers, specifying which programs can be executed.

However, some programs may provide more (no pun intended) functionality than expected, such as more, less, man or find, which offer to execute other programs – most notably a shell.


Usually, which programs are safe to execute depends on knowledge of the sysadmin. Certain binaries like echo or cat are most likely safe (i.e. don’t allow the user to spawn a shell), while others like the examples above are known to be exploitable.

Is there a way to assess with reasonable confidence whether or not an executable is “safe” when given sudo permissions for? Or is the only way a comprehensive source-code audit?


In response to cat not being safe: Yes, it can be used to read sensitive files as root. In some setups, this may be the intended use-case (e.g. a limited user being able to read as root, but not write).

Furthermore, comments or answers explaining to me that sudo is not the correct way to grant read permissions like this: I know. I am absolutely aware how a file-system should be structured, but due to the nature of my work, I can’t influence how file-systems are structured on those servers. All I can do is to see which recommendation fixes the immediate problem. So please, don’t challenge the frame of the question. I don’t have an XY-problem.

command not found: sudo

After reading about the lately discovered vulnerability with sudo, I decided to update to 1.8.28 manually. I downloaded deb file from sudo.ws and used dpkg to install it, and it failed due to lack of dependencies.

sudo dpkg -i debs/sudo_1.8.28-1_ubu1804_i386.deb  (Reading database ... 232031 files and directories currently installed.) Preparing to unpack .../sudo_1.8.28-1_ubu1804_i386.deb ... Unpacking sudo:i386 (1.8.28-1) over (1.8.27-1ubuntu1.1) ... dpkg: dependency problems prevent configuration of sudo:i386: sudo:i386 depends on libc6. sudo:i386 depends on libpam0g. sudo:i386 depends on libpam-modules. sudo:i386 depends on zlib1g. sudo:i386 depends on libselinux1. sudo:i386 depends on libaudit1.  dpkg: error processing package sudo:i386 (--install): dependency problems - leaving unconfigured Processing triggers for man-db (2.8.5-2) ... Errors were encountered while processing: sudo:i386 

After that I can’t call sudo any more and it seems to be damaged cause I can locate it in /usr/bin/sudo:

l /usr/bin/sudo -rwsr-xr-x 1 root root 479K Oct 10 20:15 /usr/bin/sudo 

Since there is no Root user available on Ubuntu I was wondering if there is any solution other than rebooting as root in recovery mode?

how to update sudo package version

with the news of the vulnerability found in sudo versions prior to 1.8.28, I am trying to upgrade to that version, but have had no luck. I did sudo apt-get update and sudo apt-get upgrade and sudo continues to be at the same version. Even tried sudo apt-get upgrade sudo and it says it’s at the latest, which cannot be entirely true since 1.8.28 was released earlier today.

How does one typically go about updating packages using apt-get to latest versions?

Sudo Error: Access Denied

I type sudo into the command line and it says this, it also says that when running any command with sudo:

exquisitetoast@toastypc:~$ sudo sudo: unable to stat /etc/sudoers: Permission denied sudo: no valid sudoers sources found, quitting sudo: unable to initialize policy plugin exquisitetoast@toastypc:~$

Im runnning Ubuntu 19.0.4 with no dual-boot

arecord and sudo

Please help me

i try using arecord for record voice from mic

arecord -f S16_LE -N -t wav -c1 -r 22050 --max-file-time=5 --use-strftime /home/sergey/arec/files/%Y-%m-%d-%H-%M-%v.wav 

work success!

normal file

but when i run as sudo

sudo arecord -f S16_LE -N -t wav -c1 -r 22050 --max-file-time=5 --use-strftime /home/sergey/arec/files/%Y-%m-%d-%H-%M-%v.wav 

file is empty!! Why!?? sudo cant use arecored?? wtf!

empty file

How Can I Make A .desktop Launcher For A Sudo command To Execute GfxTablet Program?

I am new here been trying to find a way to make a .desktop icon for the sudo command to open the program called GfxTablet but cannot get any info that actually works.

All the plethera of commands I have tried fail to launch tilix terminal and or input a command, I have made lots of .desktop files launching programs them selves but never for a command line to be executed in sudo or none sudo.

All I know is the Exec line has to be precise in what it dictates to perform the operation. If I try to launch the default terminal as in typing the Exec line to state Exec=tilix nothing happens at all, but if I go into say UXterm and type tilix then hit enter it opens, I tried changing the default terminal to one of 3 or 4 terminals on this build of disco dingo 19.04, but none launch from the Exec= line if it includes the folder location followed by the file name when I am writing the .desktop launcher.

I am making it executable and running via right click open with Run Software option and also even dragging the .desktop file into tilix and hitting enter.

The file I want to launch I don’t know what file type it is or how to find that file type extension name, as I have done properties via right click which gives no name for file type there, or right clicking choosing the option to look at it’s location to see it’s path also gives no indication for a file extension.

The path to the file I want to make this .desktop launcher for is as follows:

/home/pc/GfxTablet/driver-input/networktablet

The file name I need to launch is as follows:

networktablet

launching the application which works in all terminals if typed in the command for launchin it is as follows:

sudo ./networktablet

I have been at this 36 hrs plus now trying to figure it out I had been getting some intermittent help online but that failed, it’s driving me crazy, I want it to add the icon to the docky dock, as I am making my own customized distribution.

But I would like to transfer it to other machines if necissary at some stage when customized fully, so I need it to be saved when completed as a systemback backup to do that the easy way with everything as is ready to go, I want it on the dock when re-installing or installing to any machine and the ease of accessing it on any machine from the dock by simply clicking a icon for it as aposed to typing it in to launch all the time through a terminal I have to click and open first, the same for if I wish to add further commandlines to open one click instead of open a command shell then type it in, I would like to have them in the app search as well meaning they need to be a .desktop file in the .local/share/applications folder that much I have learned with making other launchers.

Please can someone help I am very new to linux as in days but am good with windows not so much in commandline but anything else, I just switched os’s for good I prefer the security and the speed and fluidity of the ubuntu os.

I’m hoping for some help to come, so I can keep my hair as it is before I pull it all out lol

Thanks in advance