In Linux and other Unix-like operating systems,sudo allows a permitted user to execute a command as the superuser or another user such as install and update, remove packages, create users and groups, modify important system configuration files.
On the other way, the system administrator can share the root user password (which is not a recommended method) so that normal system users have access to the root user account via su command.The sudo command’s behavior is controlled by the /etc/sudoers file on your system.This article explains how to use the sudo command from end-user point of view.
sudo allows a permitted user to execute a command as root (or another user), as specified by the security policy:
- It reads and parses /etc/sudoers, looks up the invoking user and its permissions,
- Then prompts the invoking user for a password (normally the user’s password, but it can as well be the target user’s password. Or it can be skipped with NOPASSWD tag),
- Then, sudo creates a child process in which it calls setuid() to switch to the target user
- After that, it executes a shell or the command given as arguments in the child process above.
Once you enter visudo command, you will see something like this:
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL) ALL
Basic Usage
To provide sudo access to an individual user, add the following line to the /etc/sudoers file.
emre ALL=(ALL) ALL
In the above example:
emre : name of user to be allowed to use sudo
ALL : Allow sudo access from any terminal ( any machine ).
(ALL) : Allow sudo command to be executed as any user.
ALL : Allow all commands to be executed.
To provide sudo access to a group, add the following line to the /etc/sudoers file.
%engineers ALL=(ALL) ALL
In the above example:
engineers : name of group to be allowed to use sudo. Group name should be preceded with percentage symbol.
ALL : Allow sudo access from any terminal ( any machine ).
(ALL) : Allow sudo command to be executed as any user.
ALL : Allow all commands to be executed.
1Give execute specific command permission
Below example,System admin has allowed user emre to restart apache server.
$ sudo /sbin/service httpd restart [sudo] password for emre: Stopping httpd: [ OK ] Starting httpd: [ OK ]
System admin has allowed emre to do this by adding the following entry to /etc/sudoers file.
emre ALL=/sbin/service httpd restart
2Give execute specific command permission without password
You can also specify specific commands that will never require a password when run with sudo. Instead of using “ALL” after NOPASSWD above, specify the location of the commands.
emre ALL=(ALL) NOPASSWD: /usr/bin/yum,/sbin/shutdown
3Clear your sudo cache
By default, sudo remembers your password for 15 minutes after you type it.You can invalidate the sudo credential cache using -k option as shown below.
sh-3.2# sudo -k
4Change the Password Timeout
You can set your password timeout.The number corresponds to the number of minutes sudo will remember your password for.You can see in the picture below.
default timestamp_timeout=10
5Change the default visudo editor
You can change your visudo editor easily.
Using vim with visudo
export VISUAL=vim; visudo
Using nano with visudo
export VISUAL=nano; visudo
6View Allowed Commands
The following command will tell us what commands the user can run with sudo:
sudo -U emre –l [root@instance-1 ~]# sudo -U emre -l Matching Defaults entries for emre on instance-1: secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User emre may run the following commands on instance-1: (ALL) NOPASSWD: /usr/bin/yum, /sbin/shutdown
7Validate sudo Credential
You can update his sudo cached credential using -v option. This is helpful when the password is changed, or if we cant to extend the sudo timeout.
[emre@instance-1 ~]$ sudo -v [sudo] password for john:
8Create User Alias,Host Alias and Command Alias
You can also create aliases for users:User_Alias, for host:Host_Alias and for command:Cmnd_Alias
User_Alias ENGINEERS = emre,mehmet,mustafaHost_Alias WEBSERVER = 10.142.0.2,10.142.0.10 Cmnd_Alias SHUTDOWN = /bin/shutdown
So, a typical sudoers file may look like this:User_Alias ENGINEERS = emre,mehmet,mustafaHost_Alias WEBSERVER = 10.142.0.2,10.142.0.10 Cmnd_Alias SHUTDOWN = /bin/shutdownENGINEERSALL=ALL #The users in theENGINEERSgroup can run any command from any terminal. hakanWEBSERVER=(ALL) ALL # user hakan may run any command from any machine in theWEBSERVERhosts. mert ALL= SHUTDOWN # user mert may shutdown any hosts from any machine.
