sudo allows you to run your program as another user, by default this user is root, also known as the Super User. The basic usage of
sudo commandname. If you don’t have permission to run the command it will request the password.
The basics of using sudo
There are two main use cases for basic
sudo use. The first is that it is your computer or your server and the vast majority of the time you operate as a normal user, however occasionally you want to execute a command as root without doing a full
su. The risks of a full
su are that you could do accidental damage. In this case using
sudo will only elevate your privileges for that one command. The second use case is that you are a server admin and don’t want to give root privileges out to anyone, however you do want to give one or more users access to specific root commands.
In either case once your system administrator has given you
sudo privileges you only need to prefix the command with
sudo, for example if your server admin wants to give someone in the HR dept the ability to add users then that user would execute
sudo adduser billg. The system admin doesn’t therefore need to be involved in adding users but also doesn’t need to give over full root access to the HR dept. The other benefit is that the HR dept person doesn’t gain access to
userdel or other system commands.
In the case of a user who owns the system it is generally recommended not to operate on the system as root user for day to day work and only elevate privileges to root when required. In this case sudo will be enabled for all commands but will require the users password. So user barrym would log in as barrym and work as barrym all the time. If he then wanted to modify the Apache config files and restart Apache he would user
sudo vim /etc/apache2/httpd/httpd.conf and
sudo service apache2 restart.
The other use for
sudo is if you have multiple admins on a server you don’t want them all running as root and logging to the same place. You therefore give them
sudo access and each command is logged to the respective user.
The difference between sudo and su
su command will make you the root user whereas
sudo will only elevate your privileges for that one command. With
su you may forget to exit and are then in a position to cause accidental damage. With
sudo you will have elevated privileges for that one command only. In addition if it is a protected command you will be required to re-enter your password which is a helpful reminder that you are about to do something potentially dangerous to the system.
There is one file that is used to manage
sudo and that file is called
/etc/sudoers. This has lots of configuration information which we won’t cover here but then it contains the all important permissions section.
The first line we are looking for will be like this:
root ALL=(ALL) ALL
To convert this into as plain language as is possible this line breaks down into
who where = (as_whom) what
The who part is the username we are giving privileges to. This can also be a group of users. If you want to specify a group of users you need to use the % symbol at the beginning. Please see the examples below.
The “where” part is the name of the system that this access right is being granted to. The sudoers file can be shared across multiple systems for ease of management. This means you can give example user barrym access to specific commands but only on certain systems and not on others. For the purposes of this tutorial we will be treating this as a single system setup and this field will always be ALL=.
The (as_whom) field is the name of the user and optionally the group the command is to be run as. By default this is root but can be any system user or user:group.
Finally the what field is what command or group of commands you are allowing this user to run. This can be a single command, multiple commands separated by , commas or it can be an alias for a list of files.
The first example above simply means root can run any command on any system that this sudoers file has control over.
Here are a few examples. In these examples we will always use barrym as the username and as we are only using this sudoers file on one system we will set the where part to ALL.
If we want to give barrym the ability to kill a process we would use this line in the sodoers file
barrym ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
This means that barrym can run
/sbin/mount /mnt/cdrom and
If you want everyone who can log on to this system to be able to mount and unmount the cdrom then you would use.
%users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
You may have noted that in the two previous examples that there is no (as_whom) section. If you are leaving this blank you can also omit the brackets.
If you own a system and you want to give another user (barryX) temporary root access to it rather than your root password you could add this
barryX ALL=(ALL) ALL
This user could then sudo commands as though he were root using his own password. You could then remove him from the sudoers to prevent access again.
You can use Aliases for groups of commands or users. This is useful if your sudoers file is starting to get complicated.
User aliases are of this format:
User_Alias ADMINS = jsmith, mikem, barrym
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
In both cases the first part is the type of Alias User or Cmnd. The second is the NAME for this alias and the final part is the list of either users or commands for this alias.
You would then assign them as follows:
This would allow jsmith, mikem and barrym all to access the systems update software.
Granting access without requiring a password
If you want to give the user access to a command and not require them to re-enter their password then you can use the NOPASSWD: option.
Using the previous example of the cdrom the line would look like this
%users ALL= NOPASSWD: /sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
This would allow any user on the system to mount and unmount the cdrom without having to enter their password.
If you have a problem and suspect a
sudo user has caused it you can view the log for
sudo entries like this:
grep sudo /var/log/messages.
To find out more about
sudo and the sudoers file please see the man pages
man sudo and