In Linux and other Unix-like operating systems,sudo allows a permitted user to execute a command as the superuser or another user  such as install and update, remove packages, create users and groups, modify important system configuration files.

On the other way, the system administrator can share the root user password (which is not a recommended method) so that normal system users have access to the root user account via su command.The sudo command’s behavior is controlled by the /etc/sudoers file on your system.This article explains how to use the sudo command from end-user point of view.

sudo allows a permitted user to execute a command as root (or another user), as specified by the security policy:

  • It reads and parses /etc/sudoers, looks up the invoking user and its permissions,
  • Then prompts the invoking user for a password (normally the user’s password, but it can as well be the target user’s password. Or it can be skipped with NOPASSWD tag),
  • Then, sudo creates a child process in which it calls setuid() to switch to the target user
  • After that, it executes a shell or the command given as arguments in the child process above.

Once you enter visudo command, you will see something like this:

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL

Basic Usage

To provide sudo access to an individual user, add the following line to the /etc/sudoers file.

emre    ALL=(ALL) ALL

In the above example:

emre : name of user to be allowed to use sudo
ALL : Allow sudo access from any terminal ( any machine ).
(ALL) : Allow sudo command to be executed as any user.
ALL : Allow all commands to be executed.

To provide sudo access to a group, add the following line to the /etc/sudoers file.

%engineers    ALL=(ALL) ALL

In the above example:

engineers : name of group to be allowed to use sudo. Group name should be preceded with percentage symbol.
ALL : Allow sudo access from any terminal ( any machine ).
(ALL) : Allow sudo command to be executed as any user.
ALL : Allow all commands to be executed.

1Give execute specific command permission

Below example,System admin has allowed user emre to restart apache server.

$ sudo /sbin/service httpd restart
[sudo] password for emre:
Stopping httpd: [ OK ]
Starting httpd: [ OK ]

System admin has allowed emre to do this by adding the following entry to /etc/sudoers file.

emre ALL=/sbin/service httpd restart

2Give execute specific command permission without password

You can also specify specific commands that will never require a password when run with sudo. Instead of using “ALL” after NOPASSWD above, specify the location of the commands.

emre ALL=(ALL) NOPASSWD: /usr/bin/yum,/sbin/shutdown

3Clear your sudo cache

By default, sudo remembers your password for 15 minutes after you type it.You can invalidate the sudo credential cache using -k option as shown below.

sh-3.2# sudo -k

4Change the Password Timeout

You can set your password timeout.The number corresponds to the number of minutes sudo will remember your password for.You can see in the picture below.

default timestamp_timeout=10

5Change the default visudo editor

You can change your visudo editor easily.

Using vim with visudo
export VISUAL=vim; visudo
Using nano with visudo
export VISUAL=nano; visudo

6View Allowed Commands

The following command will tell us what commands the user can run with sudo:

sudo -U emre –l
[root@instance-1 ~]# sudo -U emre -l
Matching Defaults entries for emre on instance-1:

secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User emre may run the following commands on instance-1:
(ALL) NOPASSWD: /usr/bin/yum, /sbin/shutdown

7Validate sudo Credential

You can update his sudo cached credential using -v option. This is helpful when the password is changed, or if we cant to extend the sudo timeout.

[emre@instance-1 ~]$ sudo -v
[sudo] password for john:

8Create User Alias,Host Alias and Command Alias

You can also create aliases for users:User_Alias, for host:Host_Alias and for command:Cmnd_Alias

User_Alias ENGINEERS = emre,mehmet,mustafa
Host_Alias WEBSERVER = 10.142.0.2,10.142.0.10
Cmnd_Alias SHUTDOWN = /bin/shutdown
So, a typical sudoers file may look like this:

User_Alias ENGINEERS = emre,mehmet,mustafa
Host_Alias WEBSERVER = 10.142.0.2,10.142.0.10
Cmnd_Alias SHUTDOWN = /bin/shutdown ENGINEERS ALL=ALL #The users in the ENGINEERS group can run any command from any terminal. hakan WEBSERVER=(ALL) ALL # user hakan may run any command from any machine in the WEBSERVER hosts. mert ALL= SHUTDOWN # user mert may shutdown any hosts from any machine.

LEAVE A REPLY

Please enter your comment!
Please enter your name here