Saturday, 24 February 2007, michuk
Sudo is a simple program which allows the administrator to give regular users extra permissions to execute the commands they would normally not be allowed to use. Thanks to
sudo, we can execute commands that are usually restricted to the root account. In practice, it looks like that: instead of typing
su ->password -> command you type
sudo command. In order to use
sudo you need to configure it properly. This FAQ is supposed to help you with this task.
Pic.1 Sudo make me a sandwich by xkcd
- How to download and install sudo?
- How to configure sudo?
- How to use sudo?
- What are the aliases?
- What about sudo passwords?
- Additional options
- Sudo in Ubuntu
1. How to download and install sudo?
The source code of sudo can be downloaded from the sudo homepage. However, sudo is a very popular administrative tool and it is usually available by default in most of the popular Linux distributions. If you don’t have sudo installed, before installing from sources make sure it is not available in your distribution repository.
2. How to configure sudo?
The sudo configuration file is /etc/sudoers. We should never edit this file manually. Instead, use the
This protects from conflicts (when two admins edit this file at the same time) and guarantees that the right syntax is used (the permission bits are correct). The program uses Vi text editor (or your preferred text editor set in
EDITOR system variables) so you need to know its basics in order to use it.
2.a. The syntax of
The basic syntax of
/etc/sudoers file looks like this:
user computer = command
In short, it means that the
user logged into
computer can run the
command with administrative privileges. Here is an example:
johnny localhost = /usr/bin/du
This means that
johnny will be able to use
du (disk usage) command on
localhost (the current computer).
Warning: if the computer name has been change, a real name (not localhost) needs to be entered..
2.b. Granting users of group
XXX the right to execute the command
% XXX localhost = /the/path/to/command/YYY
2.c. Allow to execute many command in one rule:
johnny localhost = /usr/bin/du, /usr/bin/nail, /usr/bin/sane
3. How to use sudo?
$ sudo du -h, causes the following effect (in case sudo is configured):
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Password: (enter your password, not root's password)
sudo does not change the
$PATH system variable. In order to use a program that is not on your path with
sudo you need to enter the whole path, e.g.:
$ sudo /usr/sbin/checkinstall
If you have many users on your machine and those users can log into many different external machines, the vision of entering in
/etc/sudoers all the possible combinations may not be very encouraging. Fortunately, we can use the aliases to minimize the typing.
4.a. Aliases in sudo.
Cmnd_Alias command_alias = command1, command2, ... // command aliases
Host_Alias host_alias = hostname1, hostname2, ... // computer aliases
User_Alias user_alias = user1, user2, ... // user aliases
By default, an alias called
ALL is already defined and it is an alias to all possible values (in practice a
sudo user with
ALL privilege is equivalent to root).
HINT: the aliases names should be types in capital letters, in order to minimize the confusion.
4.b. Executing command as another user (not root).
user computer = (another-user) command(s)
johnny localhost = (bob, mary) /usr/bin/du
Now, using a command
sudo -u bob du, du will be run as bob.
When first used,
sudo informs us about the need to enter the password (password of current user). The password is remembered for 5 minutes (it is not needed to enter it again upon next
5.a. You can set
sudo to never remember passwords.
In order to do this, append the following line in
-1 instead of
0 cause the passwords to be remembered until the next system reboot (not recommended).
5.b. Asking for a password of another user.
It is also possible to set
sudo to ask for password of another user.
Defaults:bob runaspw, passwd_tries=2
sudo always asks for bob's password.
5.c. Passwordless sudo
If you don't want to use passwords in
sudo at all, enter the following:
johnny localhost = NOPASSWD: /usr/bin/du
Of course this option should be used with care. It may be a sever danger to your system's security. However, sometimes it is required if you want to execute some script with root privileges automatically (e.g. in cron) from normal user's account.
6. Other interesting options
6.a. Checking the current
6.b. Make the
sudo password last another 5 minutes:
6.c Force the password to be forgotten at once:
FINAL REMARK: the signs # and $ that are found before the commands should not be manually entered. They refer to the current session: # this requires root user a $ this is normal user.
7. Sudo in Ubuntu
Some distributions enable
sudo by default. In Ubuntu for instance,
sudo is the default way to perform administrative activities. Root account is even disabled by default!
If you want to find our more about
sudo consult the system manuals:
man sudoers and