Sudo FAQ

Saturday, 24 February 2007, michuk

Sudo is a simple program which allows the administrator to give regular users extra permissions to execute the commands they would normally not be allowed to use. Thanks to sudo, we can execute commands that are usually restricted to the root account. In practice, it looks like that: instead of typing su ->password -> command you type sudo command. In order to use sudo you need to configure it properly. This FAQ is supposed to help you with this task.

sudo make me a sandwitch
Pic.1 Sudo make me a sandwich by xkcd

Contents:

  1. How to download and install sudo?
  2. How to configure sudo?
  3. How to use sudo?
  4. What are the aliases?
  5. What about sudo passwords?
  6. Additional options
  7. Sudo in Ubuntu

1. How to download and install sudo?

The source code of sudo can be downloaded from the sudo homepage. However, sudo is a very popular administrative tool and it is usually available by default in most of the popular Linux distributions. If you don’t have sudo installed, before installing from sources make sure it is not available in your distribution repository.

2. How to configure sudo?

The sudo configuration file is /etc/sudoers. We should never edit this file manually. Instead, use the visudo command:

# visudo

This protects from conflicts (when two admins edit this file at the same time) and guarantees that the right syntax is used (the permission bits are correct). The program uses Vi text editor (or your preferred text editor set in VISUAL or EDITOR system variables) so you need to know its basics in order to use it.

2.a. The syntax of /etc/sudoers.
The basic syntax of /etc/sudoers file looks like this:

user computer = command

In short, it means that the user logged into computer can run the command with administrative privileges. Here is an example:

johnny localhost = /usr/bin/du

This means that johnny will be able to use du (disk usage) command on localhost (the current computer).
Warning: if the computer name has been change, a real name (not localhost) needs to be entered..

2.b. Granting users of group XXX the right to execute the command YYY:
% XXX localhost = /the/path/to/command/YYY

2.c. Allow to execute many command in one rule:
johnny localhost = /usr/bin/du, /usr/bin/nail, /usr/bin/sane

3. How to use sudo?

3.a. Basic sudo usage.
The command $ sudo du -h, causes the following effect (in case sudo is configured):

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password: (enter your password, not root's password)

Warning: sudo does not change the $PATH system variable. In order to use a program that is not on your path with sudo you need to enter the whole path, e.g.:

$ sudo /usr/sbin/checkinstall

4. Aliases

If you have many users on your machine and those users can log into many different external machines, the vision of entering in /etc/sudoers all the possible combinations may not be very encouraging. Fortunately, we can use the aliases to minimize the typing.

4.a. Aliases in sudo.
Cmnd_Alias command_alias = command1, command2, ... // command aliases
Host_Alias host_alias = hostname1, hostname2, ... // computer aliases
User_Alias user_alias = user1, user2, ... // user aliases

By default, an alias called ALL is already defined and it is an alias to all possible values (in practice a sudo user with ALL privilege is equivalent to root).
HINT: the aliases names should be types in capital letters, in order to minimize the confusion.

4.b. Executing command as another user (not root).
user computer = (another-user) command(s)

Example:

johnny localhost = (bob, mary) /usr/bin/du

Now, using a command sudo -u bob du, du will be run as bob.

5. Passwords.

When first used, sudo informs us about the need to enter the password (password of current user). The password is remembered for 5 minutes (it is not needed to enter it again upon next sudo commands).

5.a. You can set sudo to never remember passwords.
In order to do this, append the following line in /etc/sudoers:

Defaults:johnny timestamp_timeout=0

Entering -1 instead of 0 cause the passwords to be remembered until the next system reboot (not recommended).

5.b. Asking for a password of another user.
It is also possible to set sudo to ask for password of another user.

Defaults:bob runaspw, passwd_tries=2

Now sudo always asks for bob's password.

5.c. Passwordless sudo
If you don't want to use passwords in sudo at all, enter the following:

johnny localhost = NOPASSWD: /usr/bin/du

Of course this option should be used with care. It may be a sever danger to your system's security. However, sometimes it is required if you want to execute some script with root privileges automatically (e.g. in cron) from normal user's account.

6. Other interesting options

6.a. Checking the current sudo permissions:
sudo -l

6.b. Make the sudo password last another 5 minutes:
sudo -v

6.c Force the password to be forgotten at once:
sudo -k

FINAL REMARK: the signs # and $ that are found before the commands should not be manually entered. They refer to the current session: # this requires root user a $ this is normal user.

7. Sudo in Ubuntu

Some distributions enable sudo by default. In Ubuntu for instance, sudo is the default way to perform administrative activities. Root account is even disabled by default!

If you want to find our more about sudo consult the system manuals: man sudoers and man sudo.

Author: largo3