Sudo: it’s a combination of the words “super user” and “do”. This name, however, doesn’t really bring home what this means. On a Linux system, a sudo command is basically treated as if it were issued by the root user. If you know anything about Linux, this should already give you pause. The root user on Linux and Unix systems is the highest authority where the operating system is concerned. This user can do anything, up to and including removing the entire operating system and all the files on the hard drive.

This is the primary reason that most network security schemes have to remove sudo access for anyone but the highest level administrators to be safe. Root is so powerful on these systems that even admins hesitate to work while logged into that account. Most often, they’ll only use root for a few procedures and then switch back to an account with fewer privileges. When you give an inexperienced user access to sudo, you’re giving them the equivalent of complete control over the system without necessarily giving them the tools to handle that power correctly. An innocent mistake can become a disaster and, perhaps more frighteningly, a grudge can be manifested in the form of compromised security and a ruined system.

Linux sudo access really need only be given to a few people within any given company. Some software products allow you to remove sudo privileges from a user but to still give them access to some higher-level functionality that they need to perform their jobs. This middle ground allows a company to comply with the demands of security standards while still having a practical setup that allows them to have users who aren’t always in need of technical assistance from network administrators to perform mundane tasks.

Logging is also a big part of security. When you remove sudo privileges from most users, you’ll still need to make sure that those users who have this powerful privilege are accountable for how they use it. Further security products can provide logging services and produce logs that are easy to read and audit. When your network is configured properly, you can be sure that it’s as functional as possible but that the most vital systems have a strong layer of protection from users who shouldn’t be able to access them without contacting an administrator.