Linux sudo command for beginners

The Linux Newbie Guide

⇒

Fundamentals

Advanced

Supplement

Command Index

ENG⇒中

sudo

1.0 sudo : Standing on the Shoulders of Giants
visudo : Modify /etc/sudoerss
/etc/sudoers : Configuration File
Alias : Alias Settings
TAG : Tag Settings
sudo : Examples of Usage

ENG⇒中 ENG⇒中

1.0 sudo : Standing on the Shoulders of Giants

Sometimes, system administrators are overwhelmed with too many tasks and unable to handle everything on their own. Some of these tasks can actually be delegated to others, such as account management, which can be handled by HR personnel. While a simple command like "su" can allow the delegated person to become a superuser and perform tasks, the main problem with su is that it requires sharing the superuser's password with the delegate, potentially posing security risks.

Is there a way for the delegate to execute specific necessary tasks and elevate their privileges to the highest level, like "root," but without going completely unchecked? Yes, there is a tool called "sudo" (superuser do) command that fulfills this purpose.

System administrators can use sudo to release some of their privileges to delegates, who are called "sudoers." The main advantages of using sudo over su are:

No need to share the superuser's password with the delegate.
Appropriate delegation of specific privileges to the delegate.
Control over the number of delegates.
Control over which commands can be executed on specific hosts.
Each action taken by a delegate (sudoer) is logged in "/var/log/sudo.log,"[Notge] allowing system administrators to track their activities when necessary.

In summary, sudo allows delegates to perform tasks that would normally require superuser privileges without having to know the superuser's password. It prevents delegates from becoming too powerful and making unauthorized changes to the system, such as altering the "root" account password or causing accidental chaos.

By default, regular user accounts (excluding "root") cannot use sudo because the system cannot predict whom the system administrator wants to delegate authority to and how much authority should be released. To use sudo, the system administrator needs to edit the "sudoers" list in "/etc/sudoers" before users can become "sudoers" and utilize the command.

visudo : Modify /etc/sudoers
The command visudo is used to open and edit the sudoers file ("/etc/sudoers") using the vi text editor. However, it includes an additional feature that checks the basic syntax, making it less prone to errors. Incorrect syntax can cause the sudo command to become ineffective, so it is recommended to use visudo for editing "/etc/sudoers." Only Superuser users can execute visudo.。

/etc/sudoers - Configuration File
The sudoers configuration file, "/etc/sudoers," can be simple or complex, but fortunately, most applications do not require complexity. Additionally, the file already contains many sample examples that can be referred to in order to avoid mistakes.

In "/etc/sudoers," lines starting with "#" are mostly comments and are not interpreted by sudo. Therefore, many sample lines are temporarily commented with "#" to be used as references and can be modified by removing the "#" to apply them.

The basic format of "/etc/sudoers" is "user host=[(Account to Delegate)] [TAG:] command_to_execute." The "[ ]" brackets denote optional elements. If the "privileged_user" field is omitted, the default user is set to root.

For example, after logging in as the Superuser and executing visudo to edit "/etc/sudoers," you can search for the following text:

root	ALL	=	(ALL)	ALL
↑	↑		↑	↑
Account	Host		(Account to Delegate)	Executable Commands

n the above example, it indicates that the "root" user can delegate authority to any user, execute any command, on any host. (ALL indicates that any condition applies)

Since the "root" account already has full power, sudo authorizations are already fully enabled for it. However, we can add another line following the same pattern:

root	ALL	=	(ALL)	ALL
aaa	ALL	=	(ALL)	ALL ←Added line following the same pattern
↑	↑		↑	↑
Account	Host		(Account to Delegate)	Executable Commands

n this example, it allows the "aaa" user to execute any command authorized by any user on any host, including remote logins.

However, granting "aaa" the ability to execute any command is very dangerous. In practice, it's more common to restrict the scope of executable commands. Here's a practical example:

aaa	ALL	=	(root)	/sbin/shutdown
↑	↑		↑	↑
Account	Host		(Account to Delegate)	Executable Commands

In this case, it allows the "aaa" user to execute the "shutdown" command, but only when authorized by the "root" user.

Next, you can test whether "aaa" can execute a command typically restricted to the Superuser by using sudo:

Example: (Testing the ability to execute "root"-restricted "shutdown" using sudo while logged in as "aaa")

$ sudo /sbin/shutdown -k now ←If the command is not in the user's "$PATH," enter the full path
Passwd: ←Enter the password for the "aaa" user, not the "root" password!

Broadcast message from root (tty1) (The Oct 8 12:45 2016): ←Initiating shutdown

The example above is common since many systems do not allow regular users to issue shutdown commands, and only the Superuser can do so. Other commands like reboot and poweroff might have their permissions removed or modified.

For instance, if the "aaa" user is always the last to leave the company, the system administrator can make the modification as shown above to allow the "aaa" user to execute the shutdown command via sudo at the end of the day to save energy and reduce carbon footprint.

Additionally, in "/etc/sudoers," the user field can also be a group, but the group name should start with "%" For example:

%wheel ALL=(root) /sbin/shutdown

In cases where executing commands via sudo requires entering the user's password, which can be inconvenient [note1A], you can include "NOPASSWD:" in the [TAG:] section (TAG must be uppercase and end with a colon) as follows:

aaa ALL=(root) NOPASSWD: /sbin/shutdown ←Adding NOPASSWD: to the TAG section

After this modification, the "aaa" user will no longer be required to enter their password when executing commands via sudo in the future.

^ back on top ^

Alias : Alias Settings
In the previous examples, if another user "bbb" also frequently stays late and requires permission to execute shutdown or halt for shutting down the system, do we need to write a separate entry in "/etc/sudoers" for each different user? You can simply add the account "bbb" and the halt command separated by commas in the "/etc/sudoers" file, as shown below:

aaa,bbb	ALL	=	(root)	/sbin/shutdown, /sbin/halt
↑	↑		↑	↑
Account	Host		(Account to Delegate)	Executable Commands

However, when there are many sudoer accounts, and each account is allowed to execute different commands, the approach of using commas to separate them directly in the "/etc/sudoers" file may become less organized. Using the "Alias" setting is more convenient in such situations.

Since the basic format of "/etc/sudoers" is "user host=[(Account to Delegate)] command_to_execute," each column can be assigned an alias, resulting in four Alias Type,( User_Alias, Host_Alias,Runas_Alias, and Cmnd_Alias). Applying the previous example with aliases, it looks like this:

Account	Host		(Account to Delegate)	Executable Commands
aaa,bbb	ALL	=	(root)	/sbin/shutdown, /sbin/halt
↑	↑		↑	↑
User_Alias	Host_Alias		Runas_Alias	Cmnd_Alias

The syntax for setting aliases is: "Alias_Type NAME = item1, item2, ..."
where "Alias_Type" can be one of the following four types: User_Alias, Runas_Alias, Host_Alias, or Cmnd_Alias.

Let's take an example using "User Alias." Suppose we have the following alias declaration: "User Alias ACC = john, candy, lily." This means that the user alias "ACC" is equal to the user accounts "john," "candy," and "lily."

It's important to note that the "NAME" used for the alias (e.g., "ACC" in the example) must be in uppercase. If you want to add or remove user accounts from the "ACC" alias, you can simply modify this line.

Here are the detailed usages of the four Alias Types:

User_Alias
"User_Alias" is used to set aliases for users or groups. If you are defining an alias for a group, you must prefix the group name with a "%".

Here's a simple example using "User_Alias" in the "/etc/sudoers" file to allow the user accounts "aaa" and "bbb" to execute the shutdown command for shutting down the system:

User_Alias TURN_OFF = aaa,bbb ←"TURN_OFF" alias includes users "aaa" and "bbb"
TURN_OFF ALL=(root) /sbin/shutdown

In the previous example, a "User_Alias" named "TURN_OFF" was defined, including the users "aaa" and "bbb." To add or remove users who are allowed to execute the shutdown command, you only need to modify the "User_Alias" line.

Here is a more complex example using "User_Alias" with examplep:

# Starting with "#" denotes comments, although not interpreted by sudo, adding comments is recommended for future maintenance

User_Alias ADMI = %wheel
# ↑ "ADMI" alias includes "wheel" group

User_Alias PRINT = ken,emma,cherry
# ↑ "PRINT" alias includes users "ken," "emma," and "cherry"

# "!" at the beginning of an item excludes members from the alias
User_Alias PT = USER, PRINT, !ken, !ADMI
# ↑ "PT" alias includes users from both "USER" and "PRINT" aliases, but excludes users "ken" and members of "ADMI" alias

Continuing from the previous example using "User_Alias: to replace account names:

User_Alias ADMI = %wheel
User_Alias PRINT = ken,emma,cherry
User_Alias PT = USER, PRINT, !ken, !ADMI

ADMI    ALL=(root)   /usr/sbin/useradd, /user/sbin/userdel
PRINT     ALL=(ALL)     /usr/sbin/lpc,   /usr/sbin/lprm
PT        xxx=(xxx) NOPASSWD: xxx ←"xxx" to be defined by the user

Traditional Unix systems set the "wheel," "adm," and other groups as supplementary groups for system administrators. This is done to avoid logging in as "root" for regular operations, which enhances security through the use of groups.

For example, if you carefully observe the file "/etc/group," Fedora systems come with many examples of groups such as "wheel" and "adm" commented out with a "#" at the beginning. Removing the "#" and modifying the content allows you to easily apply these settings.

Host_Alias
"Host_Alias" is primarily used to set aliases for hostnames, IP addresses, or networks.

Example::(Host_Alias)

Host_Alias LAN = 192.168.0.0/255.255.255.0
#↑This is for all of network

Host_Alias SERVERS = master, mail, www
Host_Alias RD_DEP = net_sw, net_hw, !SERVERS

ADMI LAN=(root) /sbin/ip

Runas_Alias
"Runas_Alias" is used to set aliases for the privileged user (the user to whom authority is delegated, which does not necessarily have to be "root"). The account name can also accept "#" followed by the UID number.

Example:(Host_Alias)

Runas_Alias PT = #505, austin, jam, !WHEEL_GRP
Runas_Alias ADMIN = #0 ← "uid"=0, i.e., root

%wheel ALL=(ADMIN) ALL ←Example using "Runas_Alias" to replace the privileged user.

Cmnd_Alias
Cmnd_Alias is used to set aliases for commands and requires specifying the full path.

Example:(Cmnd_Alias)

Cmnd_Alias SHUTDOWN_CMD = /sbin/shutdown, /sbin/halt
Cmnd_Alias ACC_CMD = /usr/sbin/useradd, /usr/sbin/passwd, /usr/sbin/visudo

aaa ALL=(root) SHUTDOWN_CMD ←Example using command alias to replace commands

TAG : Tag Settings
The "TAG" label settings in "/etc/sudoers" primarily provide additional functionality. The label must be in uppercase, and its end is indicated by ":".

Commonly used TAGs are as follows:

NOPASSWD
This indicates that when executing commands through sudo, the user doesn't need to enter their password.
NOEEXEC
The "NOEXEC" label means that the executed command cannot make system calls to other programs. For example, executing shutdown using sudo will fail because the shutdown command requires system calls to init or other programs like tar (for handling tarball files) which may further require system calls to compression/decompression programs like bz2.
NOSETENV
This prevents the retention of the current user's environment variables. When conflicting with the "-E" option, which preserves the current user's environment variables, the "-E" option becomes ineffec

Example:(〝NOPASSWD〞of TAG)

aaa ALL=(root) NOPASSWD: /sbin/shutdown, /sbin/init
#↑The user "aaa" can execute the "shutdown" command without entering a password

Example:(〝NOPASSWD & NOEXEC〞of TAG)

aaa ALL=(root) NOPASSWD: NOEXEC: /sbin/shutdown, /sbin/init
#↑ Multiple tags can be used together like this

^ back on top ^

sudo : Examples of Usage
Usage examples of the sudo command are much simpler compared to its configuration file "/etc/sudoers". The usage is as follows:

Syntax:sudo [-otpiton][--option] [USER_NAME][COMMAND]
Command name/Function/Command user	Ooptions	Function
sudo/ superuser do/ Any	-b	Run the command in the background
	-E	Preserve the current user's environment variables
	-H	Set the HOME environment variable to the new identity's HOME
	-k	Require entering the user's password again when running sudo
	-l	List the delegated commands (lowercase L)
	-p [%u][%h][%H]	Change the password prompt. Options include: %u: Prompt with the username. %h: Prompt with the hostname. %H: Prompt with the hostname + domain name
	-u [username]	xecute the command as the specified user (default is root). sudo -v # Extend the password expiration period by 5 minutes
	-v	Extend the password expiration period by 5 minutes
	-V	Display version information
	--help	Display the command's built-in help

Example:

$ sudo -l ←To see which commands you can run with sudo
User aaa may run the following commands on this hust:
(root) /sbin/shutdown /sbin/halt
$ sudo -u lee cp fileA fileB ←To copy fileA to fileB with "lee" as the owner

Other less commonly used usages are as follows:

Example:

$ sudo -k ←Next time you run sudo, you'll need to enter the password
$ sudo -p %u /sbin/shutdown -k now ←Use the username as the password prompt
$ sudo -H -u smith ←Set HOME environment variable to "smith"'s HOME
$ sudo cd /root ←Trying to use sudo with "cd" command
sudo: cd: command not found ←sudo doesn't support shell built-in commands (like "cd")

The last example illustrates that sudo does not support executing shell built-in commands (you can use the type command to check if a command is a shell built-in). For example, trying to use sudo cd to secretly enter "/root" or any other directory will not work.

In addition, the "/etc/sudoers" file is configured as follows:

kevin SERVERS=(root) ALL

In this example, granting the user "kevin" authorization to use ALL commands is highly dangerous because if this user runs sudo su or sudo /bin/bash, they will immediately acquire superuser privileges.

^ back on top ^

[note]: If Fedora does not generate the log file "/var/log/sudo.log", please add the following settings in "/etc/sudoers":

# Defaults specification
Defaults syslog=auth
Defaults log_year, logfile=/var/log/sudo.log

[note1A]:The default is to operate sudo within 5 minutes without entering the password.