what-is-the-sudo-command

Sudo Command in Linux: A Tutorial to Learn How it Works

I remember the first time I saw the sudo command in Linux, many years ago.

It didn’t click with me immediately, not sure if it’s the same for you right now…

…anyway, I’m writing this article to explain you in a simple way what the sudo command is.

In every Linux system there is a user called root.

The root user is also known as administrator or superuser, it’s basically the user with the most powers in the operating system.

But, why it’s called root?!?

According to Wikipedia the name root might be due to the fact that root is the only user who can modify the root directory of a Linux (or Unix-like) system.

So, in a Linux system you can have standard users and the root user…

…and you might guess why you don’t want a standard user to have the power that root has.

Any user should have a limited set of permissions that allows the user to operate on the system within certain limits.

This is at the foundation of what makes a multi-user system like Linux secure.

Imagine if…

…you have a Linux server and you provide hosting on it to multiple users. What would happen if every single user had the permission to delete any files and shutdown your server?

Not a good idea!

But the world is not black and white and sometimes a standard users might need a little boost in their power 😀

Let’s say, for example, you have a user that needs to be able to install a very specific RPM.

And installing RPMs on a Linux system it’s something that only the root user can do.

How can you handle that?

That’s were the sudo command becomes useful because it allows to run specific commands with root privileges without needing the root password.

How Can You Configure Sudo on Linux?

First of all, the file used to configure sudo is /etc/sudoers and it can be viewed and edited with root privileges using the visudo command.

As root run the following command:

[root@ip-172-1-2-3 ~]$ visudo

And you will see the content of the configuration file:

This is just a fragment of the file, if you scroll down in the sudoers file, at some point you will see the following line:

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL

As the comment explains, this line allows the root user to run any commands (we will ignore the “anywhere” part in this tutorial).

And here is another example:

%admin ALL=(ALL) NOPASSWD: ALL

That allows any user in the admin group on any host to run any command as any user without providing a password.

Let’s do a step backwards and look at the syntax used in the sudoers file to give access to a specific user to run a command as root:

User    Host = (Runas)   Commands

It basically means that User can run Commands as the user Runas on Host.

We will ignore the Host part and look at the rest of the line:

  • User: in our example we will use the codefather user.
  • Runas: it’s optional and if omitted the user will only be permitted to run the commands as root. If you want to allow the user to run the commands as user myuser and group mygroup this value becomes (myuser:mygroup). We will omit it in this example.
  • Commands: a comma-separated list of commands, where each command is the full path to an executable. We will only use one command in this example.

Sudo In Practice

Before adding a new sudo rule I create the user codefather using the useradd command:

[root@ip-172-1-2-3]$ useradd codefather

Here you can learn more about adding a user to a group.

We will add a sudo rule that allows the codefather user to run the following command as root without password:

/bin/cat /var/log/messages

The /var/log/messages file logs system messages, including the ones generated during the startup of the operating system, that’s why standard users don’t have access to it.

First of all let’s confirm that the codefather user cannot execute this specific cat command using sudo:

[codefather@ip-172-1-2-3 ~]$ sudo /bin/cat /var/log/messages
 
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things: 

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for codefather:

Note: I have specified the full path of the cat command because as mentioned before, commands in the sudoers file have to be specified with their full path.

The sudo command is prompting for a password, this confirms that at the moment the codefather user cannot execute this cat command using sudo.

Now we add the following line to the /etc/sudoers file:

codefather ALL=(ALL) NOPASSWD: /bin/cat /var/log/messages

And run the command again:

[codefather@ip-172-1-2-3 ~]$ sudo /bin/cat /var/log/messages
Apr  5 03:42:01 ip-172-1-2-3 rsyslogd: [origin software="rsyslogd" swVersion="8.24.0-41.amzn2.2.1" x-pid="3197" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Apr  5 03:42:01 ip-172-1-2-3 systemd: Removed slice User Slice of root.
Apr  5 03:42:01 ip-172-1-2-3 systemd: Stopping User Slice of root.
Apr  5 03:43:30 ip-172-1-2-3 dhclient[3019]: XMT: Solicit on eth0, interval 116050ms.
Apr  5 03:45:26 ip-172-1-2-3 dhclient[3019]: XMT: Solicit on eth0, interval 112820ms.
Apr  5 03:47:19 ip-172-1-2-3 dhclient[3019]: XMT: Solicit on eth0, interval 123120ms.
.....
...
..

Bingo!! It works! 😀

One last thing…

I was curious to see what would happen if I didn’t specify the full path of the cat executable in the rule added to the sudoers file.

Let’s try it…I modify the line in the way you can see below (removing /bin/ from the cat command):

codefather ALL=(ALL) NOPASSWD: cat /var/log/messages

and after saving the sudoers file I see the following:

[ec2-user@ip-172-1-2-3 ~]$ sudo visudo
>>> /etc/sudoers: syntax error near line 118 <<<
What now? ^[
Options are:
  (e)dit sudoers file again
  e(x)it without saving changes to sudoers file
  (Q)uit and save changes to sudoers file (DANGER!)

What now? e

It definitely didn’t work…it proves the fact that the full path for a command needs to be specified in the sudo rule.

Conclusion

So, we have covered few concepts in this tutorial:

  • What is the sudo command.
  • How to configure its behaviour through the /etc/sudoers file.
  • Using the visudo command to edit the sudoers file.
  • Adding a new sudo rule to allow the codefather user to read the /var/log/messages file.

Makes sense?

Is it now clear what the sudo command is and what it does?

Share knowledge with your friends!

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *