# Linux sudo command explained

Any commands that require root privileges, which are the commands that generally make changes to the system are going to need access to the `root` or `sudo`. **Sudo** can be used in place of **root,** which allows particular users to run various commands as the root user, without needing the root password. One of the benefits of using `sudo` is that it allows you to forego the root account completely. Once the `sudo` is set up, the root account can be locked because technically it is not needed anymore.

1. `sudo` package is not always installed on every instance, but for example Ubuntu always has that installed as part of the defaults. To prove `sudo` is installed, run the command:
    
    ```bash
    which sudo
    ```
    
    ![](https://i.imgur.com/PAie0KK.png align="left")
    
    <div data-node-type="callout">
    <div data-node-type="callout-emoji">💡</div>
    <div data-node-type="callout-text">If Ubuntu is installed manually, then the root account is locked by default.</div>
    </div>
    
2. Find out what is a sudo group on your distribution. Usually, the group will be named either `sudo` or `wheel`. Look at the */etc/sudoers* file:
    
    ```bash
    sudo cat /etc/sudoers
    ```
    
    On Ubuntu 20.04, the group name is "sudo"
    
    ![](https://i.imgur.com/iw0idcV.png align="center")
    
3. To find out which groups the currently logged-in user belongs to, run the command:
    
    ```bash
    groups username
    ```
    
4. If your user is not a member of the sudo group to access the sudo, run the command:
    
    ```bash
    sudo usermod -aG sudo username
    ```
    
5. To list the `sudo` privileges for the invoking user and to tell what commands the current user is allowed to run under `sudo`, and with what privileges, run:
    
    ```bash
    sudo -l
    ```
    
    ![](https://i.imgur.com/wyYbICy.png align="center")
    
    <div data-node-type="callout">
    <div data-node-type="callout-emoji">💡</div>
    <div data-node-type="callout-text">It's common for Vagrant boxes (the package format for Vagrant environments) to come pre-configured with the <code>vagrant</code> user having passwordless sudo access. This is intended to make development and testing easier, as it removes the need to constantly enter passwords when configuring the VM.</div>
    </div>
    
6. To safely edit the `sudoers` file, use the command:
    
    ```bash
    sudo visudo
    ```
    
    This command opens the file in the system's *default editor*, set by the `EDITOR` environment variable. After editing, when you exit `visudo`, it automatically checks the syntax. If there are no errors, the changes are saved; if there are errors, it gives you the option to fix them or abandon your changes.
    
7. To restrict the user to be able to do one specific thing, open the `sudoers` file and edit the line for specific users changing from ALL to a specific command:
    
    ![](https://i.imgur.com/LB3jBk8.png align="center")
    
    The full path to the command can be found with the command `which`
    
8. When `visudo` detects a syntax error upon attempting to save and exit the `sudoers` file, it typically presents a prompt asking what you want to do next.
    
    ![](https://i.imgur.com/caUO2vS.png align="center")
    
    There are 3 possible options:
    
    * **e**: to **edit** the sudoers file again and fix the error.
        
    * **x**: to **exit** without saving the changes (on some systems, this might be a different letter or option).
        
    * **q**: to **quit** and save changes despite the error, which is not recommended because it can leave your system in an unusable state as far as `sudo` is concerned.
        

# The syntax format of sudoers file

The syntax format used in the `sudoers` file is quite flexible and allows for specifying a wide range of permissions for different users and groups. Here's a breakdown of the general syntax and some examples to illustrate how permissions can be defined:

### General Syntax

The general syntax for a rule in the `sudoers` file is:

```bash
User_Alias HOST_Alias = (Runas_Alias:Runas_Group) COMMAND_Alias
```

* `User_Alias`: Specifies one or more users or a group of users. Aliases are defined elsewhere in the `sudoers` file.
    
* `HOST_Alias`: Specifies one or more hosts. Like user aliases, host aliases are defined elsewhere in the `sudoers` file.
    
* `(Runas_Alias:Runas_Group)`: Specifies the user and/or group as whom the commands can be run. The user and group can be specified directly or through aliases.
    
* `COMMAND_Alias`: Specifies one or more commands that can be executed. Command aliases are defined elsewhere in the `sudoers` file.
    

### Examples

1. **Specific User on Any Host for Specific Commands**:
    
    ```bash
    john ALL=(ALL) /bin/ls, /usr/bin/grep
    ```
    
    This allows the user `john` to run `/bin/ls` and `/usr/bin/grep` as any user on any host.
    
2. **Group of Users for Any Command as Specific User**:
    
    ```bash
    %admin ALL=(www-data) ALL
    ```
    
    This rule allows any user in the `admin` group to run any command as the `www-data` user on any host.
    
3. **Alias Example**:
    
    * Define Aliases:
        
        ```bash
        User_Alias ADMINS = john, jane
        Cmnd_Alias WEB_SERVICES = /etc/init.d/apache2, /etc/init.d/nginx
        ```
        
    * Use Aliases in Rule:
        
        ```bash
        ADMINS ALL=(ALL) WEB_SERVICES
        ```
        
    
    This setup allows users `john` and `jane` to run commands to start or stop `apache2` and `nginx` services as any user on any host.
    
4. **Command with No Password**:
    
    ```bash
    alice ALL=(ALL) NOPASSWD: /usr/bin/apt-get update
    ```
    
    This rule allows the user `alice` to run the command `/usr/bin/apt-get update` as any user without being prompted for a password.
    
5. **Denying Commands**:
    
    ```bash
    jeff ALL=(ALL) ALL, !/usr/bin/su
    ```
    
    This allows `jeff` to run any command except `/usr/bin/su` as any user on any host.
    

### Notes

* When editing the `sudoers` file, always use the `visudo` command to ensure syntax correctness and prevent configuration errors.
    
* The `sudoers` file syntax is powerful and allows for very granular control over permissions. Always review and test rules carefully to ensure they meet your security requirements.
    

## References

1. [sudo command](https://www.youtube.com/watch?v=07JOqKOBRnU&t=206s)
    
2. [How To Edit the Sudoers File](https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file)
