This guide will explain what the sudo command is, how to use it in Linux, and how to edit its configuration file.
Ubuntu Linux users may be familiar with using the “sudo” command in Linux. It’s a very useful feature in Linux that allows the administrator of a Linux machine to grant “root” privileges to a particular user or group of users. It can also be configured so that this privilege is limited to one or more commands. The Ubuntu team, for example, have decided to block the root user from logging in by default and instead allow users to use sudo to perform administrative tasks. So if you are using Ubuntu Linux, sudo privileges have been setup so that you have full “root” privileges. Let’s take a closer look at setting up and configuring sudo privileges on your machine. Before proceeding please note that you should not try the following on a production server. Please try out the examples in this tutorial on a test machine and get familiar with sudo before you try it out on a production server. sudo is a very powerful tool and must be used with extreme caution.
To my knowledge the “sudo” package ships with all Linux distributions. So I’ll skip the installation and jump straight to the configuration. For this tutorial I will use a Red Hat Linux machine. Log into your Linux machine as root and run the following command on the command line:
# visudo
The above command will open the “sudo” configuration, which is at /etc/sudoers, using the default editor on your machine, which is Vim on mine. Scroll down to the section where you see the following text:
root ALL=(ALL) ALL
The breakup of this sudo configuration syntax goes like this. You first define the ‘user’ for which you want to setup sudo. Then comes the ‘hostname’ where the command is allowed to run. This could be one specific hostname or “ALL” as in the example above. And last is the ‘command’ for which you want to give the ‘user’ administrative privilege.
Back to the configuration. In Vim scroll down to the line shown above and hit the letter o on your keyboard to add a new line. Now add the following text, replacing calvin with your own username:
calvin ALL=(ALL) ALL
Save and exit the file using the following key combination:
ESC :wq
Hit the Return (enter) key to apply these instructions. We have now given the user ‘calvin’ all administrative privileges using sudo. Open a new terminal window and log in as the user that you granted sudo privileges to. Let’s test whether the new permissions have been setup correctly by restarting the Apache web server as user ‘calvin’:
# sudo /etc/init.d/httpd restart
Password:
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
The system will now prompt you for a password. Enter the password for your username. And voila! The Apache web server should now restart. You can use this for any other administrative task. Granting complete privileges to a user may not always be the best of ideas. So you can limit the user to a few command with administrative privileges. Let’s say you want the user ‘calvin’ to be allowed to only restart the Apache web server. Open the sudo configuration file using the visudo command and edit the line you entered earlier to look like this:
calvin ALL=(ALL) /etc/init.d/httpd restart
Save and exit the file. Log into the terminal as the user ‘calvin’. Now try restarting Apache with sudo:
# sudo /etc/init.d/httpd restart
Password:
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
Great. It works. Now try stopping the web server:
# sudo /etc/init.d/httpd stop
Password:
Sorry, user calvin is not allowed to execute ‘/etc/init.d/httpd stop’ as root on commons.
So as you can see, the user ‘calvin’ can only do what we allow him to do, nothing more. You can add multiple commands in the sudoers file separated by commas. So if you want to allow ‘calvin’ the permission to stop and restart the web server your configuration would read like this:
calvin ALL=(ALL) /etc/init.d/httpd restart,/etc/init.d/httpd stop
Now try stopping the web server, and it should work:
# sudo /etc/init.d/httpd stop
Password:
Stopping httpd: [ OK ]
Another feature of sudo that is pretty useful, particularly if you need to perform an administrative task using a shell script, is setting the sudo privilege without being prompted for a password. Remember that it may not be advisable to do this on a production machine using a username that is shared, because if the password for your username falls into the wrong hands it can spell trouble. So use this feature with caution.
Open the sudoers file and edit the line you entered earlier to look like this:
calvin ALL=(ALL) /etc/init.d/httpd restart NOPASSWD: ALL
The last part of the configuration instructs sudo to not prompt for or expect a password, and allow the user to execute the command that is assigned to it with administrative privileges. Save the file and exit from your text editor and try restart Apache:
# sudo /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
There is a lot more customization that can be done to the sudo configuration file. We have just looked at a small segment of it. However, this ought to give you a start. Again, please use it with caution.