Skip to the content.

Linux sudo - Part 1

If you are using Ubuntu, you will already have sudo installed. But if you are on other linux distros like ArchLinux, you need to install it by yourself.

After installing, you need to create a account for yourself. Read about creating, modifying and switching accounts here

Configure sudo

Sudo’s configuration file is /etc/sudoers. You can edit it using vi but it’s advised to edit it using the visudo command.

#visudo

visudo command opens your sudoers file using nano editor. You can change that to your preferred editor (I prefer vim) in 3 ways

  1. Just for once. If you want to use another editor only this time, Run

    #EDITOR=vim visudo

  2. At all times If you want sudoers file to be opened in editor of your choice at all times, then

    #EDITOR=vim visudo

    Append this line to the top of the file.

    Defaults editor=/usr/bin/vim

  3. System-wide setting To set your preferred editor as the default editor for your whole system, add the below line to ~/.bashrc file.

    export EDITOR=vim

Note: Whatever be the case, we still should open the file using visudo command.

Why do you need to use visudo and not vi sudo? visudo locks the sudoers file, saves edits to a temporary file, and checks that file’s grammar before copying it to /etc/sudoers. It is imperative that sudoers be free of syntax errors since it will not run otherwise.

To give a user or group root privileges add this line. USER_NAME ALL=(ALL)ALL

So I added the below line to the sudoers file.

onie ALL=(ALL)ALL NOPASSWD: ALL

NOPASSWD: ALL removes the password requirement everytime you sudo.

What does “ALL” mean here? It’s a built in aliases. It could be used in place of any other alias.

What happens when a user who is not listed in sudoers file tries to run sudo? A mail get sent. To whom? Well, mostly to system administrators. But it’s configurable via “default entries”.

How does a user try out sudo without sending a mail? use -l or -v option.

[onie@myhost root]$ sudo -v Password: [onie@myhost root]$ sudo -l User onie may run the following commands on this host: (ALL) ALL

This allows users to check for themselves whether or not they are allowed to use sudo.

How long does the sudo effect last?> Once a user uses sudo, the sudo privilege lasts for 5 minutes (default). That means you can run other admin commands without entering password each time. This can be modified using “Default entries”.

What does “Defaults env_reset” mean? It resets the terminal environment after switching to root. So, all user set variables gets removed. There are a lot other “Default entries”.

Default entries

Certain configuration options may be changed from their default values at runtime via one or more Default Entry lines. These may affect all users on any host, all users on a specific host, a specific user, a specific command, or commands being run as a specific user. Few of the common overrides are:

For a detailed look at these, check out the Sudoers Manual Also there is a sample sudoers file available: sample.sudoers

A Detailed look at Sudoers file

The sudoers file is composed of two types of entries:

Aliases

There are 4 kinds of aliases. User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias. Each alias definition is of the form: Alias_Type NAME = item1, item2, … where

Alias_Type is one of User_Alias, Runas_Alias, Host_Alias or Cmnd_Alias. a name is the alias name (it could be a string of uppercase letters, numbers and underscores). item1, item2,.. are values. And these depend on the type of alias you are dealing with. You can put several aliases of the same type on one line by separating them with colons (:) as so: Alias_Type NAME1 = item1, item2 : NAME2 = item3

The text that follow are taken from the Ubuntu documentation pages.

User Aliases

User aliases are used to specify groups of users. You can specify usernames, system groups (prefixed by a %) and netgroups (prefixed by a +) as follows:

Everybody in the system group “admin” is covered by the alias ADMINS

User_Alias ADMINS = %admin

The users “tom”, “dick”, and “harry” are covered by the USERS alias

User_Alias USERS = tom, dick, harry

The users “tom” and “mary” are in the WEBMASTERS alias

User_Alias WEBMASTERS = tom, mary

You can also use ! to exclude users from an alias

This matches anybody in the USERS alias who isn’t in WEBMASTERS or ADMINS aliases

User_Alias LIMITED_USERS = USERS, !WEBMASTERS, !ADMINS

Runas Aliases

Runas Aliases are almost the same as user aliases but you are allowed to specify users by uid’s. This is helpful as usernames and groups are matched as strings so two users with the same uid but different usernames will not be matched by entering a single username but can be matched with a uid. For example:

UID 0 is normally used for root

Note the hash (#) on the following line indicates a uid, not a comment.

Runas_Alias ROOT = #0

This is for all the admin users similar to the User_Alias of ADMINS set earlier

with the addition of “root”

Runas_Alias ADMINS = %admin, root

Host Aliases

A host alias is a list of hostname, ip addresses, networks and netgroups (prefixed with a +). If you do not specify a netmask with a network the netmask of the hosts ethernet interface(s) will be used when matching.

This is all the servers

Host_Alias SERVERS = 192.168.0.1, 192.168.0.2, server1

This is the whole network

Host_Alias NETWORK = 192.168.0.0/255.255.255.0

And this is every machine in the network that is not a server

Host_Alias WORKSTATIONS = NETWORK, !SERVER

This could have been done in one step with

Host_Alias WORKSTATIONS = 192.168.0.0/255.255.255.0, !SERVERS

but I think this method is clearer.

Command Aliases

Command aliases are lists of commands and directories. You can use this to specify a group of commands. If you specify a directory it will include any file within that directory but not in any subdirectories.

The special command ‘“sudoedit”’ allows users to run sudo with the -e flag or as the command sudoedit. If you include command line arguments in a command in an alias these must exactly match what the user enters on the command line. If you include any of the following they will need to be escaped with a backslash (): “,”, “", “:”, “=”. Examples:

All the shutdown commands

Cmnd_Alias SHUTDOWN_CMDS = /sbin/shutdown, /sbin/reboot, /sbin/halt

Printing commands

Cmnd_Alias PRINTING_CMDS = /usr/sbin/lpc, /usr/sbin/lprm

Admin commands

Cmnd_Alias ADMIN_CMDS = /usr/sbin/passwd, /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/sbin/visudo

Web commands

Cmnd_Alias WEB_CMDS = /etc/init.d/apache2

User Specifications

User Specifications are where the sudoers file sets who can run what as who. It is the key part of the file and all the aliases have just been set up for this very point.

A user specification is in the format

** = **

user list - could be a user name or user alias for whom a security restriction/privilege is going to be set. host list - is a list of hosts/machines or a host alias on which the security restriction/privilege are going to be set. operator list - is a list of users they must be running as or a runas alias. command list - is a list of commands or a cmnd alias, they are permitted to operate. tag list - allows you set special flags for each command. There are 2 common flags used. PASSWD and NOPASSWD - to specify whether the user has to enter a password or not. NOEXEC - to prevent any programs launching shells themselves.

For example (using the aliases and users from earlier)

This lets the webmasters run all the web commands on the machine

“webserver” provided they give a password

WEBMASTERS webserver= WEB_CMDS

This lets the admins run all the admin commands on the servers

ADMINS SERVERS= ADMIN_CMDS

This lets all the USERS run admin commands on the workstations provided

they give the root password or and admin password (using “sudo -u “)

USERS WORKSTATIONS=(ADMINS) ADMIN_CMDS

This lets “harry” shutdown his own machine without a password

harry harrys-machine= NOPASSWD: SHUTDOWN_CMDS

And this lets everybody print without requiring a password

ALL ALL=(ALL) NOPASSWD: PRINTING_CMDS

There is a sample sudoers file available: sample.sudoers