Karlygash Yakiyayeva's Blog

Linux sudo command explained

Photo by Xavier Cee on Unsplash

Linux sudo command explained

Karlygash Yakiyayeva's photo
Karlygash Yakiyayeva
·

5 min read

Table of contents

Any commands that require root privileges, which are the commands that generally make changes to the system are going to need access to the root or sudo. Sudo can be used in place of root, which allows particular users to run various commands as the root user, without needing the root password. One of the benefits of using sudo is that it allows you to forego the root account completely. Once the sudo is set up, the root account can be locked because technically it is not needed anymore.

  1. sudo package is not always installed on every instance, but for example Ubuntu always has that installed as part of the defaults. To prove sudo is installed, run the command:

     which sudo

    💡
    If Ubuntu is installed manually, then the root account is locked by default.

  2. Find out what is a sudo group on your distribution. Usually, the group will be named either sudo or wheel. Look at the /etc/sudoers file:

     sudo cat /etc/sudoers

    On Ubuntu 20.04, the group name is "sudo"

  3. To find out which groups the currently logged-in user belongs to, run the command:

     groups username

  4. If your user is not a member of the sudo group to access the sudo, run the command:

     sudo usermod -aG sudo username

  5. To list the sudo privileges for the invoking user and to tell what commands the current user is allowed to run under sudo, and with what privileges, run:

     sudo -l

    💡
    It's common for Vagrant boxes (the package format for Vagrant environments) to come pre-configured with the vagrant user having passwordless sudo access. This is intended to make development and testing easier, as it removes the need to constantly enter passwords when configuring the VM.

  6. To safely edit the sudoers file, use the command:

     sudo visudo

    This command opens the file in the system's default editor, set by the EDITOR environment variable. After editing, when you exit visudo, it automatically checks the syntax. If there are no errors, the changes are saved; if there are errors, it gives you the option to fix them or abandon your changes.

  7. To restrict the user to be able to do one specific thing, open the sudoers file and edit the line for specific users changing from ALL to a specific command:

    The full path to the command can be found with the command which

  8. When visudo detects a syntax error upon attempting to save and exit the sudoers file, it typically presents a prompt asking what you want to do next.

    There are 3 possible options:

    • e: to edit the sudoers file again and fix the error.

    • x: to exit without saving the changes (on some systems, this might be a different letter or option).

    • q: to quit and save changes despite the error, which is not recommended because it can leave your system in an unusable state as far as sudo is concerned.

The syntax format of sudoers file

The syntax format used in the sudoers file is quite flexible and allows for specifying a wide range of permissions for different users and groups. Here's a breakdown of the general syntax and some examples to illustrate how permissions can be defined:

General Syntax

The general syntax for a rule in the sudoers file is:

User_Alias HOST_Alias = (Runas_Alias:Runas_Group) COMMAND_Alias

  • User_Alias: Specifies one or more users or a group of users. Aliases are defined elsewhere in the sudoers file.

  • HOST_Alias: Specifies one or more hosts. Like user aliases, host aliases are defined elsewhere in the sudoers file.

  • (Runas_Alias:Runas_Group): Specifies the user and/or group as whom the commands can be run. The user and group can be specified directly or through aliases.

  • COMMAND_Alias: Specifies one or more commands that can be executed. Command aliases are defined elsewhere in the sudoers file.

Examples

  1. Specific User on Any Host for Specific Commands:

     john ALL=(ALL) /bin/ls, /usr/bin/grep

    This allows the user john to run /bin/ls and /usr/bin/grep as any user on any host.

  2. Group of Users for Any Command as Specific User:

     %admin ALL=(www-data) ALL

    This rule allows any user in the admin group to run any command as the www-data user on any host.

  3. Alias Example:

    • Define Aliases:

        User_Alias ADMINS = john, jane
  Cmnd_Alias WEB_SERVICES = /etc/init.d/apache2, /etc/init.d/nginx

    • Use Aliases in Rule:

        ADMINS ALL=(ALL) WEB_SERVICES

This setup allows users john and jane to run commands to start or stop apache2 and nginx services as any user on any host.

  1. Command with No Password:

     alice ALL=(ALL) NOPASSWD: /usr/bin/apt-get update

    This rule allows the user alice to run the command /usr/bin/apt-get update as any user without being prompted for a password.

  2. Denying Commands:

     jeff ALL=(ALL) ALL, !/usr/bin/su

    This allows jeff to run any command except /usr/bin/su as any user on any host.

Notes

  • When editing the sudoers file, always use the visudo command to ensure syntax correctness and prevent configuration errors.

  • The sudoers file syntax is powerful and allows for very granular control over permissions. Always review and test rules carefully to ensure they meet your security requirements.

References

  1. sudo command

  2. How To Edit the Sudoers File

DevopssysopsLinuxsudo