Re: sudo and host name resolver
Hi,
On Wed, Dec 17, 2025 at 11:17:33PM +0700, Max Nikulin wrote:
> Is it possible to disable host name queries in sudo?
The sudo web site and bugzilla bug tracker appears to be down right now
but it is a known and reported bug in sudo that it still wants to
resolve your host name even when every rule has "ALL" in the "host"
part. So no, it is not currently possible to disable this.
Linux uses the gethostname() libc function which then uses the uname()
system call, which returns a nodename from kernel memory. That setting
is set by the sethostname() system call usually during boot based on
contents of /etc/hostname or /etc/hosts. If it is not set, it can be
temporarily set using the "hostname" command but it would end up unset
again at next boot.
sudo is then taking that nodename and trying to resolve it to an IP
address. I think that is any IP address at all, not necessarily one
currently bound to any network interface on the host.
Anyway, on a properly set up Debian the system's nodename should be in
/etc/hosts with an IP address and /etc/nsswitch.conf should list "files"
as the method for the "hosts" table somewhere before "dns", so looking
up one's own host name should not generate any network traffic. On some
setups there will also be other NSS modules like "myhostname" that will
answer that question, and of course there are NSS modules other than
"dns" that will do network queries.
So short story is that to avoid network traffic from sudo, make sure
/etc/hosts has your nodename and that "files" comes before "dns" or
other NSS modules that may use the network.
Or switch to a "sudo" alternative. I had hoped that sudo-rs would not
support host-based rules but it still seems to.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
> I'd be interested to hear any (even two word) reviews of their sofas…
Provides seating. — Andy Davidson
Reply to: