What is the sudo command in Linux?

I have seen people using the sudo command in Linux but I don’t understand why. What is the sudo command used for?

In every Linux system, there is a user called ‘root’ also known as the administrator or superuser. This user has the highest level of control over the operating system. The term ‘root’ originates from the user’s ability to modify the root directory of a Linux (or Unix-like) system.

Managing root access is crucial for system security and the sudo command plays an important role in this process.

Why Restrict Linux Root Access is Important?

Imagine a Linux server providing hosting services to multiple users. Without restrictions, any user could potentially delete critical files or shut down the server.

This is where user permissions and limitations between the root user and non-root users come into play, forming the backbone of Linux’s security as a multi-user system.

Elevating User Privileges with the Linux Sudo Command

There are instances where a standard user might require temporary administrative powers. For example, installing specific software packages, such as RPMs, usually requires root access. Here’s where sudo becomes useful.

The acronym sudo stands for superuser do. The Linux sudo command allows specific commands to be executed with root privileges by non-root users without changing their identity and without specifying the root password. In Linux jargon, these privileges acquired using the sudo command are called elevated privileges.

Configuring Sudo: The /etc/sudoers File

To configure sudo, the primary file used is /etc/sudoers, editable only with root privileges using the visudo command. Understanding the syntax and rules in this file is key to customizing sudo’s behavior.

As root run the visudo command that will show you the content of the /etc/sudoers configuration file:

[root@ip-172-1-2-3 ~]$ visudo

If you scroll down in the sudoers file, at some point you will see the following line:

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL

As the comment explains, this line allows the root user to run any commands (we will ignore the “anywhere” part in this tutorial). We will just focus on you working on your local Linux system.

Here is another example that allows any user in the admin group on any host to run any command as any user without providing a password.

%admin ALL=(ALL) NOPASSWD: ALL

Let’s take a step backward and look at the syntax used in the sudoers file to give access to a specific user to run a command as root:

User    Host=(Runas)   Commands

This syntax means that User can run Commands as the user Runas on Host.

We will ignore the Host part and look at the rest of the line:

• User: in our example, we will use the codefathertech user.
• Runas: it’s optional and if omitted the user will only be permitted to run the commands as root. If you want to allow the user to run the commands as user myuser and group mygroup this value becomes (myuser:mygroup).
• Commands: a comma-separated list of commands, where each command is the full path to an executable. We will use one command in this example.

Don’t worry if this feels quite abstract so far, we will go through an example in the next section.

Practical Example of Sudo: Enhancing User Capabilities

Let’s consider a practical scenario:

Allowing a user named 'codefathertech' to view the content of the /var/log/messages file without entering a password.

This file, which logs system messages, is typically inaccessible to standard users. I will walk you through the steps to modify the sudoers file and test the new rule.

Before adding a new sudo rule, create the new Linux user called ‘codefathertech‘ using the useradd command:

[root@ip-172-1-2-3]$ useradd codefathertech

We will add a sudo rule that allows the ‘codefathertech’ user to run the following command as root without a password:

/bin/cat /var/log/messages

Before continuing, switch from the root user to the ‘codefathertech’ user. To switch user in Linux, you can use the su (switch user or substitute user) command followed by the username.

Here’s how you do it:

[root@ip-172-1-2-3]$ su - codefathertech

You will notice that the command line prompt changes to show that you are now the ‘codefathertech’ user.

[codefathertech@ip-172-1-2-3 ~]$

Then verify that the ‘codefathertech’ user cannot execute this specific cat command using sudo:

[codefathertech@ip-172-1-2-3 ~]$ sudo /bin/cat /var/log/messages
 
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things: 

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for codefathertech:

Note: We have specified the full path of the cat command because commands in the sudoers file have to be specified with their full path.

The sudo command is prompting for a password, this confirms that at the moment the ‘codefathertech’ user cannot execute this cat command using sudo.

Now you can add the following line to the /etc/sudoers file:

codefathertech ALL=(ALL) NOPASSWD: /bin/cat /var/log/messages

Then run the previous command again:

[codefathertech@ip-172-1-2-3 ~]$ sudo /bin/cat /var/log/messages
Apr  5 03:42:01 ip-172-1-2-3 rsyslogd: [origin software="rsyslogd" swVersion="8.24.0-41.amzn2.2.1" x-pid="3197" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Apr  5 03:42:01 ip-172-1-2-3 systemd: Removed slice User Slice of root.
Apr  5 03:42:01 ip-172-1-2-3 systemd: Stopping User Slice of root.
Apr  5 03:43:30 ip-172-1-2-3 dhclient[3019]: XMT: Solicit on eth0, interval 116050ms.
Apr  5 03:45:26 ip-172-1-2-3 dhclient[3019]: XMT: Solicit on eth0, interval 112820ms.
Apr  5 03:47:19 ip-172-1-2-3 dhclient[3019]: XMT: Solicit on eth0, interval 123120ms.
.....
...
..

This time the cat command executed using sudo works fine!

You have executed a Linux command with elevated privileges using a sudo rule.

Explaining the Syntax of the Sudo Rule

Let’s go through a detailed explanation of the sudo rule we have configured in the previous section:

codefathertech ALL=(ALL) NOPASSWD: /bin/cat /var/log/messages

Below you can see the generic syntax of a sudo rule I described previously, it will help to have it next to the sudo rule you have created:

User    Host=(Runas)   Commands

• User: codefathertech: This is the username to whom the sudo rule applies. This rule specifies what commands ‘codefathertech’ can execute using sudo.
• Host: ALL: This field specifies the hostnames on which this rule is applicable. ‘ALL’ indicates that the rule applies to any host. This is useful in environments where the same sudoers configuration is distributed across multiple machines.
• Runas: (ALL): This part defines the users or groups that ‘codefathertech’ can impersonate when executing the command. ‘ALL’ in parentheses means ‘codefathertech’ can run the specified command as any user (including root) or any group.
• NOPASSWD: This tag specifies that when ‘codefathertech’ uses sudo to run the specified command, they will not be prompted to enter their password. This can be important for scripts that need to execute commands without interactive input but should be used cautiously due to security implications.
• Command: /bin/cat /var/log/messages: This is the command that the ‘codefathertech’ user is allowed to execute without a password. It’s a specific command, including the full path to the executable (in this case, /bin/cat), which is a standard command for reading the contents of files.

In summary, this sudo rule allows the user ‘codefathertech’ to execute the command cat /var/log/messages on any machine using this sudoers configuration, as any user, without needing to enter a password.

Sudo Rules without Full Path in the Command

An interesting experiment is to see what happens if the full path of a command is not specified in the sudoers file.

Let’s see what happens if you don’t specify the full path of the cat executable in the rule you added to the sudoers file.

Modify the line in the way you see below, by removing /bin/ before the cat command.

codefathertech ALL=(ALL) NOPASSWD: cat /var/log/messages

After saving the sudoers file you will see that it returns an error:

[ec2-user@ip-172-1-2-3 ~]$ sudo visudo
>>> /etc/sudoers: syntax error near line 118 <<<
What now? ^[
Options are:
  (e)dit sudoers file again
  e(x)it without saving changes to sudoers file
  (Q)uit and save changes to sudoers file (DANGER!)

What now? e

This proves that the full path for a command needs to be specified in a sudo rule.

Conclusion

This tutorial explained key aspects of the sudo command, including its purpose, configuration, and practical application. We have covered the following concepts:

• What is the sudo command in Linux?
• How to configure the behavior of the sudo command with the /etc/sudoers file and sudo rules.
• How to use the visudo command to edit the sudoers file in the Linux command line.
• Adding a sudo rule to allow a Linux user to read the /var/log/messages file.
• How to use the sudo command after configuring a sudo rule.

With these insights, you should now understand sudo’s role in Linux and how to use it to improve the security of the Linux systems you manage.

Related article: complement the knowledge you acquired with this article, by discovering the difference between the sudo and su commands in Linux.