Sudo FAQ

Saturday, 24 February 2007, michuk

Sudo is a simple program which allows the administrator to give regular users extra permissions to execute the commands they would normally not be allowed to use. Thanks to sudo, we can execute commands that are usually restricted to the root account. In practice, it looks like that: instead of typing su ->password -> command you type sudo command. In order to use sudo you need to configure it properly. This FAQ is supposed to help you with this task.

sudo make me a sandwitch
Pic.1 Sudo make me a sandwich by xkcd

Contents:

  1. How to download and install sudo?
  2. How to configure sudo?
  3. How to use sudo?
  4. What are the aliases?
  5. What about sudo passwords?
  6. Additional options
  7. Sudo in Ubuntu

1. How to download and install sudo?

The source code of sudo can be downloaded from the sudo homepage. However, sudo is a very popular administrative tool and it is usually available by default in most of the popular Linux distributions. If you don’t have sudo installed, before installing from sources make sure it is not available in your distribution repository.

2. How to configure sudo?

The sudo configuration file is /etc/sudoers. We should never edit this file manually. Instead, use the visudo command:

# visudo

This protects from conflicts (when two admins edit this file at the same time) and guarantees that the right syntax is used (the permission bits are correct). The program uses Vi text editor (or your preferred text editor set in VISUAL or EDITOR system variables) so you need to know its basics in order to use it.

2.a. The syntax of /etc/sudoers.
The basic syntax of /etc/sudoers file looks like this:

user computer = command

In short, it means that the user logged into computer can run the command with administrative privileges. Here is an example:

johnny localhost = /usr/bin/du

This means that johnny will be able to use du (disk usage) command on localhost (the current computer).
Warning: if the computer name has been change, a real name (not localhost) needs to be entered..

2.b. Granting users of group XXX the right to execute the command YYY:
% XXX localhost = /the/path/to/command/YYY

2.c. Allow to execute many command in one rule:
johnny localhost = /usr/bin/du, /usr/bin/nail, /usr/bin/sane

3. How to use sudo?

3.a. Basic sudo usage.
The command $ sudo du -h, causes the following effect (in case sudo is configured):

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password: (enter your password, not root's password)

Warning: sudo does not change the $PATH system variable. In order to use a program that is not on your path with sudo you need to enter the whole path, e.g.:

$ sudo /usr/sbin/checkinstall

4. Aliases

If you have many users on your machine and those users can log into many different external machines, the vision of entering in /etc/sudoers all the possible combinations may not be very encouraging. Fortunately, we can use the aliases to minimize the typing.

4.a. Aliases in sudo.
Cmnd_Alias command_alias = command1, command2, ... // command aliases
Host_Alias host_alias = hostname1, hostname2, ... // computer aliases
User_Alias user_alias = user1, user2, ... // user aliases

By default, an alias called ALL is already defined and it is an alias to all possible values (in practice a sudo user with ALL privilege is equivalent to root).
HINT: the aliases names should be types in capital letters, in order to minimize the confusion.

4.b. Executing command as another user (not root).
user computer = (another-user) command(s)

Example:

johnny localhost = (bob, mary) /usr/bin/du

Now, using a command sudo -u bob du, du will be run as bob.

5. Passwords.

When first used, sudo informs us about the need to enter the password (password of current user). The password is remembered for 5 minutes (it is not needed to enter it again upon next sudo commands).

5.a. You can set sudo to never remember passwords.
In order to do this, append the following line in /etc/sudoers:

Defaults:johnny timestamp_timeout=0

Entering -1 instead of 0 cause the passwords to be remembered until the next system reboot (not recommended).

5.b. Asking for a password of another user.
It is also possible to set sudo to ask for password of another user.

Defaults:bob runaspw, passwd_tries=2

Now sudo always asks for bob's password.

5.c. Passwordless sudo
If you don't want to use passwords in sudo at all, enter the following:

johnny localhost = NOPASSWD: /usr/bin/du

Of course this option should be used with care. It may be a sever danger to your system's security. However, sometimes it is required if you want to execute some script with root privileges automatically (e.g. in cron) from normal user's account.

6. Other interesting options

6.a. Checking the current sudo permissions:
sudo -l

6.b. Make the sudo password last another 5 minutes:
sudo -v

6.c Force the password to be forgotten at once:
sudo -k

FINAL REMARK: the signs # and $ that are found before the commands should not be manually entered. They refer to the current session: # this requires root user a $ this is normal user.

7. Sudo in Ubuntu

Some distributions enable sudo by default. In Ubuntu for instance, sudo is the default way to perform administrative activities. Root account is even disabled by default!

If you want to find our more about sudo consult the system manuals: man sudoers and man sudo.

Author: largo3

Subscribe to RSS feed for this article!

15 Comments

fold this thread Jochen  Monday, 26 February 2007 o godz. 10:36 am #  Add karma Subtract karma  +1

Be careful when giving rights to some program types, especially shells, kernel-tools(insmod, modprobe,…), editors and programs with shell escape:
johnny localhost = /usr/bin/vim
Vim has a shell escape(=root shell!) and you could also edit your login/sudo files. This way you give “johnny” complete root access, which is not always what you intended!

(Comments wont nest below this level)
 
fold this thread zly  Monday, 26 February 2007 o godz. 12:58 pm #  Add karma Subtract karma  +0

[blockquote]
# visudo

“The program uses Vi text editor so you need to know its basics in order to use it.”
[/blockquote]
visudo uses the editor defined in the $EDITOR variable.
If you are not familiar with vi, but know your way around in e.g. joe, you can do a:
export EDITOR=joe
or which ever editor your prefer, before executing the visudo command.

(Comments wont nest below this level)
 
fold this thread zly  Monday, 26 February 2007 o godz. 1:06 pm #  Add karma Subtract karma  --1

#2 (me)
Seems I was a little to quick on the earlier comment.
To clarify (from man pages):

ENVIRONMENT
The following environment variables are used only if visudo was configured with the –with-env-editor option:
VISUAL Invoked by visudo as the editor to use
EDITOR Used by visudo if VISUAL is not set

(Comments wont nest below this level)
 
fold this thread michuk  Monday, 26 February 2007 o godz. 1:25 pm #  Add karma Subtract karma  +0

@zly: Thanks. I updated the article to cover this information.

(Comments wont nest below this level)
 
fold this thread Primsi  Monday, 26 February 2007 o godz. 3:16 pm #  Add karma Subtract karma  +0

How do I know which programs have shell escape?

(Comments wont nest below this level)
 
fold this thread Mast  Monday, 26 February 2007 o godz. 4:32 pm #  Add karma Subtract karma  +1

And how can i sudo when using another account??

(Comments wont nest below this level)
 
fold this thread Paulo Köch  Monday, 26 February 2007 o godz. 8:19 pm #  Add karma Subtract karma  +0

@Mast,
I’m ‘me’. When I’m ‘notme’

$ su – me

Given me’s password, this will Switch User to ‘me’. (the ‘-’ tells su to reinitialize environment variables).
And then sudo as normal.

(Comments wont nest below this level)
 
fold this thread Jesse  Tuesday, 27 February 2007 o godz. 12:15 pm #  Add karma Subtract karma  +0

I used visudo in ubuntu and it came up with pico. It took me a second to realize what it was. I was expecting vi and I typed :q after I was done looking and I was like “WTF mate?” when it put the text in the middle of the screen even after I esc’d.

(Comments wont nest below this level)
 
fold this thread ranger  Tuesday, 27 February 2007 o godz. 4:21 pm #  Add karma Subtract karma  +0

Jochen, for editors, it is effective to add rules for sudoedit, which will be used by sudoedit to allow users to edit files. In this case, sudoedit copies the original file to a temporary location, runs the user’s editor (determined from VISUAL or similar) as the user. On exit of the editor, sudoedit will then copy the temporary file over the original file if the temporary copy has changed.

So, while there are still some issues with it, it provides access to an editor without providing an avenue for exploit.

Also, for circumstances where users must run some kind of interactive application (e.g. installing some proprietary software, etc. etc.) there are audited shells available (which you can provide access to via sudo).

Finally, I don’t think any article on sudo is complete without noting that current versions of sudo support reading sudo rules from LDAP (which avoids problems with syntax checking, and provides immediate access to new rules across all hosts).

(Comments wont nest below this level)
 
fold this thread Venkatt Guhesan  Wednesday, 28 February 2007 o godz. 9:00 pm #  Add karma Subtract karma  +0

Also another rarely used command is when you open up GUI applications. Have you ever encountered situations where in Ubuntu you have a graphical windows open and you were trying to copy to/from a directory where it has secure “root” access, and it comes back and tells you that you can’t. Well to get around this issue you can use the “gksudo ”

For example, “gksudo nautilus” will open your file explorer as root…

This will allow you to modify as root. But also be aware that you can also do some serious damage as root…

Enjoy…

(Comments wont nest below this level)
 
fold this thread Jim Budler  Friday, 2 March 2007 o godz. 10:18 am #  Add karma Subtract karma  +0

Fedora Core 6:

Sudo visudo was using vi despite my EDITOR and VISUAL being set to nedit.

Simple fix:

sudo visudo; Modify env_keep to include VISUAL and EDITOR.

Result: sudo visudo uses nedit.

Jim

(Comments wont nest below this level)
 
fold this thread Heidi Schmidt  Thursday, 12 April 2007 o godz. 9:20 pm #  Add karma Subtract karma  +1

Thanks for the forum. I have been searching for a way to figure out if the .cshrc is ever read on sudo -u username. In my test trial I put umask 022 into the .cshrc file and when I sudo-ed to username and ran umask it was set to 2

I am not sure if it is the /etc/sudoers file, a sudo command line flag or other setting that needs to happen in order for the .cshrc file to be properly sourced upon sudo -u

From what I read it looked like resetting environment paths was inherent. I am sudo -u username shell and in that case I want the dot files sourced.

Any help appreciated.

Thanks
Heidi

(Comments wont nest below this level)
 
fold this thread Sergiy Tsymbal  Sunday, 6 January 2008 o godz. 2:40 pm #  Add karma Subtract karma  +0

I was also looking for the way to change umask of the user I am sudoing to.
Apparently, it is controlled by sudo defaults. To change umask of the user you sudo to (sudo -u useranme) add the following line to /etc/sudoers

Defaults>username umask=0002

Regards,
Sergiy

(Comments wont nest below this level)
 
fold this thread Paul  Thursday, 14 February 2008 o godz. 4:22 pm #  Add karma Subtract karma  +0

We have a problem with admins always typing “sudo bash” or “sudo tcsh” then doing their stuff as root without any logging.

Does anyone know if it’s possible to block users’ access to *certain* commands, while allowing all other commands? We need this mostly as a reminder of policy, rather than for security.

The best I’ve come up with so far is a daily grep of /var/log/messages.0.gz for offending lines, with an automated email reminder to whoever does it.

Thanks.

(Comments wont nest below this level)
fold this thread Buchan  Sunday, 24 February 2008 o godz. 9:23 pm #  Add karma Subtract karma  +2

There is no real solution (with open-source software) to allow almost-all commands as root.

However, one solution to your real problem, is to allow specific commands, and anything not specifically allowed would be made accessible via an audited shell, such as sudosh2 (http://sf.net/projects/sudosh2), or eash (the more enterprise version of sudosh, but the project is gone, however the source is available in Mandriva’s svn repo – the package being maintained by me …).

A TACACS+ based shell would be a better option … but it would have to be hacked in to quite an extent to be similar to how the command shell on Cisco IOS (for example) handles TACACS+ command authorization …

 
 
Name (required)
E-mail (required - never shown publicly)
URI

Adjust field size: shrink | enlarge)


You can use simple HTML in your comments. Some examples are as follows:
  • A hyperlink: <a href="polishlinux.org">GNU/Linux for everyone!</a>,
  • Strong text: <strong>Strong text</strong>,
  • Italic text: <em>italic text</em>,
  • Strike: <strike>strike</strike>,
  • Code: <code>printf("hello world");</code>,
  • Block quote: <blockquote>Block quote</blockquote>