I remember the first time I saw the sudo command in Linux, many years ago.
It didn’t click with me immediately, not sure if it’s the same for you right now…
…anyway, I’m writing this article to explain you in a simple way what the sudo command is.
In every Linux system there is a user called root.
The root user is also known as administrator or superuser, it’s basically the user with the most powers in the operating system.
But, why it’s called root?!?
According to Wikipedia the name root might be due to the fact that root is the only user who can modify the root directory of a Linux (or Unix-like) system.
So, in a Linux system you can have standard users and the root user…
…and you might guess why you don’t want a standard user to have the power that root has.
Any user should have a limited set of permissions that allows the user to operate on the system within certain limits.
This is at the foundation of what makes a multi-user system like Linux secure.
Imagine if…
…you have a Linux server and you provide hosting on it to multiple users. What would happen if every single user had the permission to delete any files and shutdown your server?
Not a good idea!
But the world is not black and white and sometimes a standard users might need a little boost in their power 😀
Let’s say, for example, you have a user that needs to be able to install a very specific RPM.
And installing RPMs on a Linux system it’s something that only the root user can do.
How can you handle that?
That’s were the sudo command becomes useful because it allows to run specific commands with root privileges without needing the root password.
How Can You Configure Sudo on Linux?
First of all, the file used to configure sudo is /etc/sudoers and it can be viewed and edited with root privileges using the visudo command.
As root run the following command:
[root@ip-172-1-2-3 ~]$ visudoAnd you will see the content of the configuration file:
This is just a fragment of the file, if you scroll down in the sudoers file, at some point you will see the following line:
## Allow root to run any commands anywhere
root ALL=(ALL) ALLAs the comment explains, this line allows the root user to run any commands (we will ignore the “anywhere” part in this tutorial).
And here is another example:
%admin ALL=(ALL) NOPASSWD: ALLThat allows any user in the admin group on any host to run any command as any user without providing a password.
Let’s do a step backwards and look at the syntax used in the sudoers file to give access to a specific user to run a command as root:
User Host = (Runas) CommandsIt basically means that User can run Commands as the user Runas on Host.
We will ignore the Host part and look at the rest of the line:
- User: in our example we will use the codefather user.
- Runas: it’s optional and if omitted the user will only be permitted to run the commands as root. If you want to allow the user to run the commands as user myuser and group mygroup this value becomes (myuser:mygroup). We will omit it in this example.
- Commands: a comma-separated list of commands, where each command is the full path to an executable. We will only use one command in this example.
Sudo In Practice
Before adding a new sudo rule I create the user codefather using the useradd command:
[root@ip-172-1-2-3]$ useradd codefatherHere you can learn more about adding a user to a group.
We will add a sudo rule that allows the codefather user to run the following command as root without password:
/bin/cat /var/log/messagesThe /var/log/messages file logs system messages, including the ones generated during the startup of the operating system, that’s why standard users don’t have access to it.
First of all let’s confirm that the codefather user cannot execute this specific cat command using sudo:
[codefather@ip-172-1-2-3 ~]$ sudo /bin/cat /var/log/messages
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for codefather:Note: I have specified the full path of the cat command because as mentioned before, commands in the sudoers file have to be specified with their full path.
The sudo command is prompting for a password, this confirms that at the moment the codefather user cannot execute this cat command using sudo.
Now we add the following line to the /etc/sudoers file:
codefather ALL=(ALL) NOPASSWD: /bin/cat /var/log/messagesAnd run the command again:
[codefather@ip-172-1-2-3 ~]$ sudo /bin/cat /var/log/messages
Apr 5 03:42:01 ip-172-1-2-3 rsyslogd: [origin software="rsyslogd" swVersion="8.24.0-41.amzn2.2.1" x-pid="3197" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Apr 5 03:42:01 ip-172-1-2-3 systemd: Removed slice User Slice of root.
Apr 5 03:42:01 ip-172-1-2-3 systemd: Stopping User Slice of root.
Apr 5 03:43:30 ip-172-1-2-3 dhclient[3019]: XMT: Solicit on eth0, interval 116050ms.
Apr 5 03:45:26 ip-172-1-2-3 dhclient[3019]: XMT: Solicit on eth0, interval 112820ms.
Apr 5 03:47:19 ip-172-1-2-3 dhclient[3019]: XMT: Solicit on eth0, interval 123120ms.
.....
...
..Bingo!! It works! 😀
One last thing…
I was curious to see what would happen if I didn’t specify the full path of the cat executable in the rule added to the sudoers file.
Let’s try it…I modify the line in the way you can see below (removing /bin/ from the cat command):
codefather ALL=(ALL) NOPASSWD: cat /var/log/messagesand after saving the sudoers file I see the following:
[ec2-user@ip-172-1-2-3 ~]$ sudo visudo
>>> /etc/sudoers: syntax error near line 118 <<<
What now? ^[
Options are:
(e)dit sudoers file again
e(x)it without saving changes to sudoers file
(Q)uit and save changes to sudoers file (DANGER!)
What now? eIt definitely didn’t work…it proves the fact that the full path for a command needs to be specified in the sudo rule.
Conclusion
So, we have covered few concepts in this tutorial:
- What is the sudo command.
- How to configure its behaviour through the
/etc/sudoersfile. - Using the
visudocommand to edit the sudoers file. - Adding a new sudo rule to allow the codefather user to read the
/var/log/messagesfile.
Makes sense?
Is it now clear what the sudo command is and what it does?
I’m a Software Engineer and Programming Coach. I want to help you in your journey to become a Super Developer!
One comment